A team of seven Google Security Team researchers issued their call for a uniform 60-day maximum timeframe to issue patches for popular software bugs, a group that included Travis Ormandy, who was at the center of a recent zero-day disclosure controversy between Google and Microsoft.
Ormandy discovered the zero-day flaw affecting Windows XP and 2003, and subsequently published an advisory five days after reporting the vulnerability to Microsoft. The Google researcher was indirectly criticized by Microsoft for making details of the exploit public, before it had a chance to study the flaw and issue a patch.
Ormandy defended the disclosure, saying that the release of “this information rapidly is in the best interest of security”.
The team of Google researchers recently posted their opinions on the topic of disclosure on the Google Security Blog, noting that there is “no particular consensus” on what is the safest route for end users: ‘full’ or ‘responsible’ disclosure.
The Google team called ‘responsible disclosure’ a loaded term, one that gives people in the security community the idea that it is the best approach.
But this may not be the case, says the team from Google.
“We’ve seen an increase in vendors invoking the principles of ‘responsible’ disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers”, said the group. “It can be irresponsible to permit a flaw to remain live for such an extended period of time.”
The Google researchers suggested a 60-day maximum period to fix these disclosed exploits, noting that both researchers and vendors “must act responsibly”. They also called on the rest of the security research community to begin implementing this 60-day timeline for the disclosure of serious vulnerabilities, a method that would put pressure on vendors who delay issuing fixes for these flaws, especially if they are being actively exploited in the wild.
Matt Thomlinson, general manager of security for Microsoft’s Trustworthy Computing group, chimed in on the debate, saying that “coordination and collaboration are required to resolve [disclosure] issues in a way that minimizes risk and disruption for customers”.
Thomlinson said that Microsoft is now advocating for what it calls ‘coordinated vulnerability disclosure’, which would entail reporting of the flaw to a CERT team member, or private service, which would then inform the affected vendor.
“The finder allows the vendor an opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before detailed vulnerability or exploit information is shared publicly”, Thomlinson said.
“If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves”, he added.
However, as Infosecurity notes, what the Microsoft GM of security did not provide was any type of timeframe to resolve these security issues, which has been a point of contention with the Google research team.