Home > Research > Project Zero Extends Its Vulnerability Disclosure Agreement to 90 Days, Changes to Follow

Project Zero Extends Its Vulnerability Disclosure Agreement to 90 Days, Changes to Follow

Project Zero is changing its vulnerability disclosure policy to give software developers more time to patch vulnerabilities. This year, the Google-founded Project Zero will run a trial period for a hard 90-day disclosure period. Project Zero will now give a vendor the full 90 days to patch a vulnerability, regardless of whether they patch the vulnerability within that 90-day window. A disclosure that is earlier than 90 days is based on a mutual agreement with the compromised vendor.

The goal of the policy change is three-fold. Project Zero wants faster patch development in the event a vulnerability is identified, a more thorough patch development process, and improved patch adoption by end users. Project Zero will also disclose any vulnerabilities once the 90 days is up, even if the vendor has yet to release a patch.

Our Take

Project Zero’s 2019 approach is less comprehensive then its 2020 version. At the time, Project Zero could make a disclosure either after the 90 days or whenever a vendor fixed the bug, whichever was earliest. In contrast with the 2020 approach, the 2019 approach had a couple of flaws. By disclosing the vulnerability as soon as it was patched, two common issues would arise. First, companies would often issue a patch within the 90-day period that was lacking in vertical depth – focusing on speed of release, rather than the effectiveness of the patch. According to Tim Willis, project manager for Project Zero, “Too many times, we’ve seen vendors patch reported vulnerabilities by papering over the cracks and not considering variants or addressing the root cause of a vulnerability.” Without taking time to develop robust patches, attackers could create simple workarounds and resume their infiltration.

Second, vendors could claim they had resolved the vulnerability with their surface-level patch. In the long run, this is even more damaging for both the vendor and the end users. A vendor would have to work to repair the patch’s flaws while still suffering new infiltration and probing attempts from attackers. Furthermore, customers’ data may be at risk due to an ineffective patch, eroding their trust in their vendor to safeguard their information.

By giving the full 90 days before Project Zero discloses a vulnerability, both issues are mitigated. The 2020 approach gives vendors a leg up on the malicious actors by limiting when an attacker will become aware of a vulnerability. While attackers are always probing businesses for weaknesses, making a public disclosure acts as a beacon of interest to attackers, highlighting a vulnerable business. Like moths to the flame, new attacks will be carried out on the vulnerable vendors, searching for a weakness. The 2020 approach will give vendors more time to test iterative patches and to make sure that the patch functions as intended. Vendors can now be more exhaustive and thorough in their patch development.

The final policy change was to also improve patch adoption by end users. Tim Willis added, “The end-user security does not improve when a bug is found, and it doesn’t improve when bug is fixed. It improves once the end user is aware of the bug and typically patches their device.” Improving patch adoption is important to ensure that users enjoy the benefit from the vulnerability being fixed. Part of this comes by incentivizing vendors. Under the 2020 trial vendors should be incentivized to patch faster. By developing a patch earlier into the 90-day cycle, this will give vendors more time to refine and improve the patch. Vendors can go beyond the surface-level patches and create patches with more vertical depth. This also removes the ability for attackers to bypass vulnerabilities with only minor changes. This should make it harder for attackers to use variations of an exploit.

What It Means for Vulnerability Management

Shifting the disclosure date for vendors to a hard 90-day limit regardless of when the patch is issued will shift how zero-day patches are managed. The shift will create a reliable and predictable deadline for vendors. Once Project Zero approaches them with a vulnerability a vendor knows how long they have. While the 90-day deadline can be extended by an extra 14 days, the qualifications for the extension are very high. Project Zero wants the field to completely balanced as well, where no vendor – including Google –gets preferential treatment. The disclosure dates should apply to everyone.

Project Zero has also helped to improve the defence capabilities of vendors. Attackers are incentivized to spend time analyzing security patch notes to learn about vulnerabilities. Attackers will establish a synopsis of details regardless of whether vendors attempt to withhold technical data. Vendors cannot be expected to afford the same depth of analysis as attackers do. Vendors want to have more information about the risks they and their users face. By giving vendors more technical data, Project Zero helps vendors and administrators to deploy mitigation and detection rules. Defenders must be correct 100% of the time, and attackers must only be successful once to cause damage. Any information Project Zero can provide may help to balance this asymmetric relationship.

By removing the inconsistency of its policy, Project Zero can remove a barrier for vendors working with them. By applying the disclosure policy consistently and equitably, vendors are now on the same timeline to fix their vulnerabilities. It should encourage vendors to work with Project Zero on further problems, building transparency and fostering data sharing. The result will be more trust and collaboration between vendors and Project Zero. The disclosure policy is complex, but it has results. At Project Zero’s start in 2014, it would take six months to patch a vulnerability. Currently, 97.7% of the vulnerabilities discovered by project Zero are patched with the 90-day disclosure period. While the policy won’t please every vendor, it is a good balance between end-user security and vendor privacy. Vendors will need to adjust or accept having their vulnerabilities outed to the public and attackers alike.


Want to Know More?

Ensure Cloud Security in laaS, PaaS, and SaaS Environments

Design and Implement a Vulnerability Management Program

Develop and Implement a Security Incident Management Program

Build a Vendor Security Assessment Service