Comprehensive software reviews to make better IT decisions
Project Zero Extends Its Vulnerability Disclosure Agreement to 90 Days, Changes to Follow
Project Zero is changing its vulnerability disclosure policy to give software developers more time to patch vulnerabilities. This year, the Google-founded Project Zero will run a trial period for a hard 90-day disclosure period. Project Zero will now give a vendor the full 90 days to patch a vulnerability, regardless of whether they patch the vulnerability within that 90-day window. A disclosure that is earlier than 90 days is based on a mutual agreement with the compromised vendor.
The goal of the policy change is three-fold. Project Zero wants faster patch development in the event a vulnerability is identified, a more thorough patch development process, and improved patch adoption by end users. Project Zero will also disclose any vulnerabilities once the 90 days is up, even if the vendor has yet to release a patch.
Project Zero’s 2019 approach is less comprehensive then its 2020 version. At the time, Project Zero could make a disclosure either after the 90 days or whenever a vendor fixed the bug, whichever was earliest. In contrast with the 2020 approach, the 2019 approach had a couple of flaws. By disclosing the vulnerability as soon as it was patched, two common issues would arise. First, companies would often issue a patch within the 90-day period that was lacking in vertical depth – focusing on speed of release, rather than the effectiveness of the patch. According to Tim Willis, project manager for Project Zero, “Too many times, we’ve seen vendors patch reported vulnerabilities by papering over the cracks and not considering variants or addressing the root cause of a vulnerability.” Without taking time to develop robust patches, attackers could create simple workarounds and resume their infiltration.
Second, vendors could claim they had resolved the vulnerability with their surface-level patch. In the long run, this is even more damaging for both the vendor and the end users. A vendor would have to work to repair the patch’s flaws while still suffering new infiltration and probing attempts from attackers. Furthermore, customers’ data may be at risk due to an ineffective patch, eroding their trust in their vendor to safeguard their information.
By giving the full 90 days before Project Zero discloses a vulnerability, both issues are mitigated. The 2020 approach gives vendors a leg up on the malicious actors by limiting when an attacker will become aware of a vulnerability. While attackers are always probing businesses for weaknesses, making a public disclosure acts as a beacon of interest to attackers, highlighting a vulnerable business. Like moths to the flame, new attacks will be carried out on the vulnerable vendors, searching for a weakness. The 2020 approach will give vendors more time to test iterative patches and to make sure that the patch functions as intended. Vendors can now be more exhaustive and thorough in their patch development.
The final policy change was to also improve patch adoption by end users. Tim Willis added, “The end-user security does not improve when a bug is found, and it doesn’t improve when bug is fixed. It improves once the end user is aware of the bug and typically patches their device.” Improving patch adoption is important to ensure that users enjoy the benefit from the vulnerability being fixed. Part of this comes by incentivizing vendors. Under the 2020 trial vendors should be incentivized to patch faster. By developing a patch earlier into the 90-day cycle, this will give vendors more time to refine and improve the patch. Vendors can go beyond the surface-level patches and create patches with more vertical depth. This also removes the ability for attackers to bypass vulnerabilities with only minor changes. This should make it harder for attackers to use variations of an exploit.
What It Means for Vulnerability Management
Shifting the disclosure date for vendors to a hard 90-day limit regardless of when the patch is issued will shift how zero-day patches are managed. The shift will create a reliable and predictable deadline for vendors. Once Project Zero approaches them with a vulnerability a vendor knows how long they have. While the 90-day deadline can be extended by an extra 14 days, the qualifications for the extension are very high. Project Zero wants the field to completely balanced as well, where no vendor – including Google –gets preferential treatment. The disclosure dates should apply to everyone.
Project Zero has also helped to improve the defence capabilities of vendors. Attackers are incentivized to spend time analyzing security patch notes to learn about vulnerabilities. Attackers will establish a synopsis of details regardless of whether vendors attempt to withhold technical data. Vendors cannot be expected to afford the same depth of analysis as attackers do. Vendors want to have more information about the risks they and their users face. By giving vendors more technical data, Project Zero helps vendors and administrators to deploy mitigation and detection rules. Defenders must be correct 100% of the time, and attackers must only be successful once to cause damage. Any information Project Zero can provide may help to balance this asymmetric relationship.
By removing the inconsistency of its policy, Project Zero can remove a barrier for vendors working with them. By applying the disclosure policy consistently and equitably, vendors are now on the same timeline to fix their vulnerabilities. It should encourage vendors to work with Project Zero on further problems, building transparency and fostering data sharing. The result will be more trust and collaboration between vendors and Project Zero. The disclosure policy is complex, but it has results. At Project Zero’s start in 2014, it would take six months to patch a vulnerability. Currently, 97.7% of the vulnerabilities discovered by project Zero are patched with the 90-day disclosure period. While the policy won’t please every vendor, it is a good balance between end-user security and vendor privacy. Vendors will need to adjust or accept having their vulnerabilities outed to the public and attackers alike.
Want to Know More?
Qualys VMDR and Ivanti have announced a new partnership dedicated to improving the detection and patching of vulnerabilities. Announced July 30, the Qualys and Ivanti Partnership have already gone live as an integrated component of the VMDR solution.
IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.
RiskSense announced on July 13 its new version of the cloud-delivered RiskSense risk management platform. The main draw of the program is its holistic risk calculation across CVEs and CWEs.
Cyberthreats are omnipresent for any enterprise. Monitoring ingress and egress points while still conducting business is a balance security professionals attempt to strike. Couple this with the continued security issues around remote work during the pandemic, and security teams have their hands full.
On May 26, Kenna Security released its new Prioritization to Prediction Benchmark Survey. This free tool provides organizations with the ability to compare their vulnerability management programs to industry averages Kenna Security has compiled over the years.
COVID-19 has changed a great deal about how businesses operate. From a security perspective, however, COVID-19 caught many businesses off guard. The shift from working in the office to working from home has made it difficult for security measures to keep pace. Specifically, how are businesses meant to maintain the same secure networks when their employees are no longer working in the office? Outside of the security of the IT departments, IT and security have a tough time ensuring that patching and vulnerability management remain at the forefront of a business’s priorities.
Google has identified “unsafe” code in the Chromium web browser engine. This flaw introduces a potential vulnerability that effects Google Chrome, as well as all Chromium-based web browsers.
More than ever, cybersecurity solutions are core to any MSPs offering. No longer should technology service providers be farming this out to dedicated security providers. Trust and peace of mind are the core tenets of what they are selling and solutions like Acronis Cyber Protect Cloud can provide the platform upon which to deliver on those promises.
Kenna Security deployed their new data driven vulnerability management program, Kenna.VM and accessory program, Kenna.VI. Released on April 28th, Kenna.VM was created with the purpose to set service-level agreements (SLAs) with risk tolerance in mind.