Comprehensive software reviews to make better IT decisions
Project Zero Extends Its Vulnerability Disclosure Agreement to 90 Days, Changes to Follow
Project Zero is changing its vulnerability disclosure policy to give software developers more time to patch vulnerabilities. This year, the Google-founded Project Zero will run a trial period for a hard 90-day disclosure period. Project Zero will now give a vendor the full 90 days to patch a vulnerability, regardless of whether they patch the vulnerability within that 90-day window. A disclosure that is earlier than 90 days is based on a mutual agreement with the compromised vendor.
The goal of the policy change is three-fold. Project Zero wants faster patch development in the event a vulnerability is identified, a more thorough patch development process, and improved patch adoption by end users. Project Zero will also disclose any vulnerabilities once the 90 days is up, even if the vendor has yet to release a patch.
Project Zero’s 2019 approach is less comprehensive then its 2020 version. At the time, Project Zero could make a disclosure either after the 90 days or whenever a vendor fixed the bug, whichever was earliest. In contrast with the 2020 approach, the 2019 approach had a couple of flaws. By disclosing the vulnerability as soon as it was patched, two common issues would arise. First, companies would often issue a patch within the 90-day period that was lacking in vertical depth – focusing on speed of release, rather than the effectiveness of the patch. According to Tim Willis, project manager for Project Zero, “Too many times, we’ve seen vendors patch reported vulnerabilities by papering over the cracks and not considering variants or addressing the root cause of a vulnerability.” Without taking time to develop robust patches, attackers could create simple workarounds and resume their infiltration.
Second, vendors could claim they had resolved the vulnerability with their surface-level patch. In the long run, this is even more damaging for both the vendor and the end users. A vendor would have to work to repair the patch’s flaws while still suffering new infiltration and probing attempts from attackers. Furthermore, customers’ data may be at risk due to an ineffective patch, eroding their trust in their vendor to safeguard their information.
By giving the full 90 days before Project Zero discloses a vulnerability, both issues are mitigated. The 2020 approach gives vendors a leg up on the malicious actors by limiting when an attacker will become aware of a vulnerability. While attackers are always probing businesses for weaknesses, making a public disclosure acts as a beacon of interest to attackers, highlighting a vulnerable business. Like moths to the flame, new attacks will be carried out on the vulnerable vendors, searching for a weakness. The 2020 approach will give vendors more time to test iterative patches and to make sure that the patch functions as intended. Vendors can now be more exhaustive and thorough in their patch development.
The final policy change was to also improve patch adoption by end users. Tim Willis added, “The end-user security does not improve when a bug is found, and it doesn’t improve when bug is fixed. It improves once the end user is aware of the bug and typically patches their device.” Improving patch adoption is important to ensure that users enjoy the benefit from the vulnerability being fixed. Part of this comes by incentivizing vendors. Under the 2020 trial vendors should be incentivized to patch faster. By developing a patch earlier into the 90-day cycle, this will give vendors more time to refine and improve the patch. Vendors can go beyond the surface-level patches and create patches with more vertical depth. This also removes the ability for attackers to bypass vulnerabilities with only minor changes. This should make it harder for attackers to use variations of an exploit.
What It Means for Vulnerability Management
Shifting the disclosure date for vendors to a hard 90-day limit regardless of when the patch is issued will shift how zero-day patches are managed. The shift will create a reliable and predictable deadline for vendors. Once Project Zero approaches them with a vulnerability a vendor knows how long they have. While the 90-day deadline can be extended by an extra 14 days, the qualifications for the extension are very high. Project Zero wants the field to completely balanced as well, where no vendor – including Google –gets preferential treatment. The disclosure dates should apply to everyone.
Project Zero has also helped to improve the defence capabilities of vendors. Attackers are incentivized to spend time analyzing security patch notes to learn about vulnerabilities. Attackers will establish a synopsis of details regardless of whether vendors attempt to withhold technical data. Vendors cannot be expected to afford the same depth of analysis as attackers do. Vendors want to have more information about the risks they and their users face. By giving vendors more technical data, Project Zero helps vendors and administrators to deploy mitigation and detection rules. Defenders must be correct 100% of the time, and attackers must only be successful once to cause damage. Any information Project Zero can provide may help to balance this asymmetric relationship.
By removing the inconsistency of its policy, Project Zero can remove a barrier for vendors working with them. By applying the disclosure policy consistently and equitably, vendors are now on the same timeline to fix their vulnerabilities. It should encourage vendors to work with Project Zero on further problems, building transparency and fostering data sharing. The result will be more trust and collaboration between vendors and Project Zero. The disclosure policy is complex, but it has results. At Project Zero’s start in 2014, it would take six months to patch a vulnerability. Currently, 97.7% of the vulnerabilities discovered by project Zero are patched with the 90-day disclosure period. While the policy won’t please every vendor, it is a good balance between end-user security and vendor privacy. Vendors will need to adjust or accept having their vulnerabilities outed to the public and attackers alike.
Want to Know More?
Google has identified “unsafe” code in the Chromium web browser engine. This flaw introduces a potential vulnerability that effects Google Chrome, as well as all Chromium-based web browsers.
More than ever, cybersecurity solutions are core to any MSPs offering. No longer should technology service providers be farming this out to dedicated security providers. Trust and peace of mind are the core tenets of what they are selling and solutions like Acronis Cyber Protect Cloud can provide the platform upon which to deliver on those promises.
Kenna Security deployed their new data driven vulnerability management program, Kenna.VM and accessory program, Kenna.VI. Released on April 28th, Kenna.VM was created with the purpose to set service-level agreements (SLAs) with risk tolerance in mind.
We often hear that businesses are continually cyber insecure or under attack. However, recent penetration testing from Rapid7 shows that businesses are getting better at securing their networks against cyberattacks. While organizations continue to have exploitable weaknesses, attackers are having greater difficulty penetrating deeper into businesses’ networks.
Four zero-day vulnerabilities were discovered in IBM’s Data Risk Manager. While the vulnerabilities are concerning, more so is IBM’s response when addressed. The company simply stated, “It’s out of scope.” – meaning it had no intention to rectify or address the issue.
Will New IoT Security Frameworks Push Compliance Obligations to the Forefront of Security Discussions?
The Internet of Things is increasingly embedded with our daily lives. While these devices make life more accessible, for every new device, a new attack vector for cyberattackers is created.
Qualys VMDR Is Now Live: Increasing Security Threats Requires Strong Vulnerability Management Software
Qualys VMDR has hit the live market. Originally unveiled in February 2020 at Qualys Security Conference, VMDR is now publicly available as of April 16, 2020. Partnering with both large and small MSSPs, VMDR is designed to be scalable to any business enterprise and to automate the entire management cycle on all endpoints.
VMware has issued the highest Common Vulnerability Scoring System 3 (CVSSv3) rating, 10.0, on a vulnerability (CVE-2020-3952) found on its VMware vCenter Server version 6.7 software. VMware now has a patch to address this vulnerability, and administrators are urged to install the patch as soon as possible.
Market researcher ResearchandMarkets.com has published its market outlook for vulnerability management tools.