|
|
Google offers companies leniency on Project Zero 90-day fix deadline
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
Google is making changes to Project Zero, its vulnerability discovery and disclosure scheme intended to promote security improvements in operating systems and other programs, giving companies more leniency in terms of time to develop patches for their software. In a number of cases, vulnerability disclosures will take place later than the fixed 90-day deadline, giving companies up to 14 more days to roll out a fix to their customers.
Project Zero came under fire recently for sticking rigidly to its 90-day disclosure period. Microsoft complained after a flaw in Windows 8.1 was published two days before it was to issue the fix as part of its regular Patch Tuesday schedule, despite requesting for publication to be held back until the patch's release.
The scheme will now move the publication of a vulnerability to the next available working day, if a deadline is due to end on a weekend or a US public holiday. Companies advising Google of an incoming patch being delivered after the 90 day period can also request for it to be postponed until it is made available, up to 14 days after the original deadline ended. The team also reserves "the right to bring deadlines forwards or backwards based on extreme circumstances."
Although Google has made some concessions for Project Zero, it also defends the scheme. "Disclosure deadlines have long been an industry standard practice. They improve end-user security by getting security patches to users faster." The team also points to CERT's 45-day disclosure policy, Yahoo's 90-day policy, and ZDI's 120-day scheme, all operating under a similar time-pressure reasoning.
Google also revealed the effectiveness of companies in fixing their products within the 90-day deadline. Out of 154 Project Zero bugs fixed so far, 85 percent were done on time, though out of the 73 vulnerabilities flagged and fixed since October 1 last year, 95 percent were fixed before time elapsed. It also highlighted the Adobe Flash team, which has managed to fix all 37 Project Zero vulnerabilities on time without fail.
|
|
|
|
|
|
|
|
|
Junior Member
Join Date: Apr 2009
Status:
Offline
|
|
Apple and MS should create a team to go after Google OS's and look for bugs and release them as well! Google still and won't fix a serious bug that affects about 60% percent of their users because they don't care about there users!
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Dec 2008
Status:
Offline
|
|
Google needs to look at it's own products security before threatening others. Try Android the open and 99% filled malware piece of crap they call an OS. Fix your crap before claiming stupidity and threatening others Google!
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2007
Location: SF
Status:
Offline
|
|
This seems like it could easily fall into the "evil" category, as Google has their own OS and software that would benefit from making other vendor products look bad (of course they might me bad), but then don't hold their own OS and software developers to the same "happy to announce the flaws" standard.
Something of a conflict of interest maybe?
|
|
|
|
|
|
|
|
|
Managing Editor
Join Date: Jul 2012
Status:
Offline
|
|
Originally Posted by cashxx
Apple and MS should create a team to go after Google OS's and look for bugs and release them as well! Google still and won't fix a serious bug that affects about 60% percent of their users because they don't care about there users!
Google doesn't update not so much because it doesn't care, but would REALLY REALLY like its users to not be so cheap, and get something newer. Apple doesn't update 10.6 either, for much the same reason.
Apple has the same apathy about its users: e.g. iWeb, AppleWorks.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|