Google's recent decision to adopt a seven-day security disclosure policy could potentially harm the security landscape by driving firms to distribute patches which aren't properly tested prior to release, according to the head of HP's Zero Day Initiative (ZDI) security programme.
In an interview with V3, HP Security Research ZDI manager Brian Gorenc said that in some cases, large firms who are hit by surprise with a vulnerability report may not have enough time to properly develop and test their fixes prior to the seven day disclosure deadline.
“With larger organisations a seven day timeline is difficult for vendors to implement,” he explained.
“They are having to get samples of the exploit itself and the payloads that come with it.”
The result, he fears, could be patches which are not properly tested and will potentially cause conflicts or performance issues when deployed by administrators that will undermine customer confidence over the long run. ZDI maintains its own timeline policy which, in the case of non-targeted flaws, can hold disclosure for as long as 180 days.
For its part, Google has acknowledged that in some cases seven days may not be enough for a full patch to be developed and released. In announcing the new policy, Google engineers Chris Evans and Drew Hintz noted that other mitigation measures can be taken to protect users from attacks in the wild while a fix is being developed.“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” the pair noted.
Regardless of their stance on disclosure policies, both Google and ZDI wish to see vendors improve the speed with which they develop and deploy fixes for security vulnerabilities. For Gorenc, a large part of the change should come with how they interact with security researchers who report flaws.
He said that the company has seen success in its recent efforts, such as the Pwn2Own contest in which zero day flaws exposed in the contest are reported directly to vendors and patched quickly with the cooperation of researchers. Additionally, Gorenc hailed Microsoft's MAPP program, which provides security vendors with information needed to address vulnerabilities days prior to patch releases, allowing for even unpatched systems to be protected by security software.
“The most important thing is the vendors work to improve their patching process,” he said.
“I think the communication and information sharing between the researchers and protection communities needs to be a smooth operation.”