Google is changing how it approaches bug reports. According to a blog post from Google Project Zero, the Silicon Valley giant will update a 2020 policy with the goal of creating a system that leads to a quicker patch rate. The original policy was a 90-day period given to vendors to patch an exploitable vulnerability. After this 90-day period, the vulnerability report would be released regardless of whether a patch existed or not. If there wasn’t a patch, this was theoretically supposed to light a fire under the vendor to hurry up before infections occur. In reality, this did not happen. This led to the situation, and subsequent resolution, as described in the following Google Project Zero blog post excerpt:
We didn’t observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch. In other words, the implied timeline for patch adoption wasn’t clearly understood.
The goal of our 2021 policy update is to make the patch adoption timeline an explicit part of our vulnerability disclosure policy. Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption.
This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive. Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines.
There is always a delicate balance when dealing with vulnerabilities, and this is not the first time Google has made changes to its patch timetable policy. On the one hand, you want the public to be aware of possible attack vectors in their devices. The problem is that vulnerability disclosures give attackers the proverbial keys to the kingdom. There are distinct technical details in threat reports that, more or less, provide a roadmap for threat actors who want to penetrate a specific target. If there is no patch for the vulnerability, then the chance for attacks increases significantly, even if there are workarounds.
The quicker a patch is released, the better it is for everyone. The reality is some vendors simply cannot meet strict deadlines. Hopefully, the new Google 90+30 policy leads to a greater patch rate. Only time will tell.
Featured image: Flickr/Carlos Luna