The official timeline had been 60 days. In reality this was never completely obeyed. For example, Tavis Ormandy, an English-born Google engineer resident in Switzerland, has more than once been criticized for disclosing zero-day vulnerabilities within days of informing the vendor.
Now Google has reduced its timeline from 60 days to 7. “Based on our experience, however, we believe that more urgent action – within 7 days – is appropriate for critical vulnerabilities under active exploitation,” announced the company. The reasoning is not to gratify individual engineers such as Ormandy, but to protect targets. “Often,” says the announcement, “we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world.”
The issue was highlighted at the Oslo Freedom Forum last month. A security researcher found what he thought was a new Mac backdoor live during a presentation. The victim was an Angolan dissident. In the event, it turned out to be a known backdoor (and probably and instance of the Hangover campaign). Had it been new, however, what should the researcher have done? If he disclosed nothing for 60 days, it would leave open the possibility of other dissidents being targeted in a potentially life-threatening manner for another 60 days.
For such reasons, says Google, “after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.”
One company that might be expected to fully support Google would be Rapid7. Rapid7 ‘owns’ Metasploit; and Metasploit has a habit of publishing exploits as soon as it knows about them, whether or not a vendor patch is available. In reality, however, Rapid7 has some reservations. “The reasoning behind shortening the vulnerability disclosure timeline is sound,” blogged William Cheng yesterday, “but the time frame that Google specified could be a bit problematic.”
His particular concern is the mobile world. Fixing a PC vulnerability is simply a matter of liaising with the software vendor. However, fixing an Android vulnerability will almost certainly involve the software vendor, the device manufacturer and the mobile carrier. “This process can take months to complete,” he says. Which then becomes a huge problem “when combined with the 7 day disclosure window that Google has adopted – if exploits found for a particular version of Android are available to the public after just 7 days, then there is a long period of time between when an exploit is available and when the user can get a fix. In the meantime, the user has a phone that can easily be exploited.”