back to article Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea

Patting itself on its back for motivating software makers to fix 97.7 per cent of the vulnerabilities it identifies within its 90-day disclosure deadline, Google's bug-hunting unit Project Zero has decided to ease up on those racing to patch their flawed products. This month, Project Zero revised its Disclosure Policy so that …

  1. Pascal Monett Silver badge

    Always a good thing

    It's a good thing that a bit of allowance is made for those who actively try to keep their products secure. Humanity cannot live at the speed of the machine, the machine has to allow for inferior human traits such as needing sleep and not being at 100% all day long.

    1. big_D Silver badge

      Re: Always a good thing

      I always thought it was a balancing act that Google always got wrong.

      Their 90 day deadline was all too strict, let alone the early notification if the patch was released early. There were several times where the 90 days couldn't be held to, because the normal patch cycle was on day 92 - 100, but Google still released the details, including full exploit code on day 90.

      Even if the release on day 90 occurs, the users still have to patch. The bad guys could investigate the patch and try and work out what had been fixed, but with Google, they had a head start, because the exploit wasn't only explained, a useful proof of concept was handed to them on a plate.

      I was always for Google informing the public about the need to patch as soon as the patch was released, but that they should hold off on the deep details and the PoC code until users had had a chance to patch their software. E.g. release an overview of the security problem on day 90, wait a week or 2 for users to patch, then release the PoC and details of the exploit.

      The problem is, whilst this is the responsible way to do things, it isn't as headline grabbing as dumping the full details on day one. By day 10, when the details would be released, people have already become bored with the topic and have moved onto something new.

  2. stiine Silver badge

    Wow, no.

    "Your users are now in a race to update their systems before the hole is exploited by miscreants using the web giant's exploit. If your patch doesn't fully work, your users are now left completely vulnerable while hackers can play merry havoc with your busted code as you scramble to emit a followup update."

    No, not at all. Once the patch is released, its downloaded by the people writing malware. At this point, they know exactly what was broken and if the fix didn't actually fix it, for them nothing changes.

    This is for complicated bugs, like Microsoft writes, where you have to re-design the entire application from the ground up, in order to eliminate the bug(s).

    1. Anonymous Coward
      Anonymous Coward

      Re: Wow, no.

      At least this makes malware authors work harder.

      There is no upside for full disclosure at the same time as patch release, so waiting the full 90 days makes sense even if some more clueful malware writers might disassemble the code and reverse engineer the bug before that time.

    2. diodesign (Written by Reg staff) Silver badge

      "its downloaded by the people writing malware"

      Well, yeah, but Google's exploit is right there in the P0 bug tracker. It takes away 50%+ of the effort. I'll add this point.

      C.

  3. ratfox Silver badge
    Devil

    I appreciate that they want to force developers to fix issues as soon as possible, but Project Zero has come across as holier-than-thou at moments. It's probably good for everybody that they are relaxing somewhat their stance.

  4. FlamingDeath
    Thumb Down

    Git Gud

    There is a better option, don't create buggy shitty code that you have no idea what it's doing in the first place, too few 'what ifs' are asked in these situations, testing is lacking

    Yes programming is hard and complex, but so is brain surgery, yet the harm that can be done by a programmer probably surpasses anything a brain surgeon might achieve through negligence

    Unfortunately, in the internet age, sneezing at the screen and declaring it a working program, and then releasing it for public consumption, is all too common

    We only have to look at the huge number of patches M$ releases, and even then they never get it right and end up creating yet more bugs, they should just give up and do the world a favour, SAAS is simply one giant rolling turd, attempting to collect some glitter along its journey

    The whole development cycle is one giant clusterfuck

    I kid you not, I received no less than 3 updates in the space of 1 week, for Outlook on iOS, and it still shits the bed daily

    1. IGotOut Silver badge

      Re: Git Gud

      "Yes programming is hard and complex, but so is brain surgery, yet the harm that can be done by a programmer probably surpasses anything a brain surgeon might achieve through negligence"

      Worse than death or being put into a permanent vegative state?

      1. sbt Silver badge
        Facepalm

        One brain at a time

        Well, a brain surgeon can only kill one patient at a time, usually. Any more and questions start to be asked. On the other hand, a software engineer working for an aircraft manufacturer could kill hundreds or thousands.

    2. KittenHuffer Silver badge

      Re: Git Gud

      The idea is great and I fully agree with you ..... unfortunately the company that spends the time and effort to write decent, secure code will always be second to release their product (by several months) and the opposition has already cornered the lions share of the market.

      Unless companies get their product out at the 'Speed of the Internet' then they quickly become ex-companies.

      I do though wish that would could be given the time to write good product.

      1. big_D Silver badge

        Re: Git Gud

        By several months? You are optimistic. If you want to ensure it is 100% bug free before release, you'll be years behind the curve.

        I'd guess Windows 95 would be about ready for release now, having been recoded a dozen times because of new situations and new attack vectors that have been discovered over the years.

  5. Doctor Syntax Silver badge

    I wonder if this is a consequence of Google having been caught out before they could get all their stuff patched.

    1. Psmo Silver badge
      Mushroom

      Don't know.

      I guess we'll find out in 90 days.

    2. Anonymous Coward
      Anonymous Coward

      Gives more time for the TLA's to continue to exploit unpatched systems ?

  6. amanfromMars 1 Silver badge

    Picture this and try to Deny and Defend it as Not Being a Persistent ACTive Cyber Threat Vector

    Imagine this Pussies Galore scenario: Project Zero privately informs you that their President Trump Make America Great Again application has a security hole in it ...... which every man, woman and child and their dogs can both exploit and be exploited from.

    What would that make Google? Friend or Foe? Enemy Combatant or Beacon of Pathfinder Light? Or does IT make them both, and all four, and something else quite totally different too in the Quantum Sector where a bit of this is also a bit of that and together a bit of something else quite unexpected and novel and disruptive even while being engagingly creative and attractively addictive.

    What's the bounty for plugging that sorry mess of a security hole? Be realistic now please, for such is the price to be asked for and paid in order to try and effectively right those sorts of wrongs. One can certainly guarantee no more than that, although that will not stop many a useless army of useful fools rushing in to magnificently prove the point.

    And can you imagine the alternative gargantuan price of failure to put in an adequate fix against a Western Capital Systems Crash and Flash Market Collapse?

    1. Psmo Silver badge

      Re: Picture this and try to Deny and Defend it as Not Being a Persistent ACTive Cyber Threat Vector

      Friend or Foe? Enemy Combatant or Beacon of Pathfinder Light? ... and together a bit of something else quite unexpected and novel and disruptive ...

      You must not be looking at the same Google. I haven't seen anything innovative from them in years.

      1. amanfromMars 1 Silver badge

        Re: Picture this and try to Deny and Defend it as Not Being a Persistent ACTive Cyber Threat Vector

        You must not be looking at the same Google. I haven't seen anything innovative from them in years. ..... Psmo

        Some would suggest that be slippery of Google, whilst others would prefer the word, stealthy, Psmo.

        Goodness knows what the Alphabet crowd are doing ...... but you certainly were warned over a decade ago things would not be normal .......

        “Google is not a conventional company. We do not intend to become one.” .... Larry and Sergey

        And you wouldn't easily believe what warranted the following reply from one of their experimental divisions .......

        Hello,

        Thank you for your interest in DeepMind.

        We endeavour to review every application we receive, however, due to the volume of applications we unfortunately aren't able to reply to everyone. We will be in touch if our current vacancies might be a match.

        Thank you again,

        The DeepMind Team

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020