Google has been going at Microsoft and Apple’s throats recently. The company’s newly founded Project Zero group recently published details on security flaws in code that appears in software products by Microsoft, Apple and other tech giants. The end-goal is to get both firms, and other firms such as Adobe, to tighten up the security in the products they sell to the public. Google typically provides a 90-day period for companies to fix the security flaws before it makes them public to all, but it’s loosening up on the reins just a bit.
Google rightly came under fire from Microsoft and Apple after it began publishing the security holes, mainly because both companies had argued that fixes were sometimes just days away from rolling out. Since Google planned to stick to its 90-day policy, it went ahead and publicly released the flaws anyway. Now, it’s adding a 14-day grace period, according to statements made recently by the Project Zero team.
“We now have a 14-day grace period,” the team explained. “If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed.” Google also said that deadlines will now fall on normal work days instead of on weekends or holidays.
Google says that its initiative has worked so far, and that firms such as Adobe have fixed 37 vulnerabilities, all of them, within the 90-day deadline. 85 percent of all vulnerabilities spotted by Google were fixed within the same time period. While the firm has come under fire for its practices, it also explained why it decided to set such strict standards.
“Deadlines also acknowledge an uncomfortable fact that is alluded to by some of the above policies: the offensive security community invests considerably more into vulnerability research than the defensive community,” the Project Zero team explained. “Therefore, when we find a vulnerability in a high profile target, it is often already known by advanced and stealthy actors.”
The company explained that it still reserves the right to “bring deadlines forwards or backwards based on extreme circumstances,” and that it holds its own projects, Chrome and Android, to the same standards as the rest of the industry.