Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea Patting itself on its back for motivating software makers to fix 97.7 per cent of the vulnerabilities it identifies within its 90-day disclosure deadline, Google's bug-hunting unit Project Zero has decided to ease up on those racing to patch their flawed products. This month, Project Zero revised its Disclosure Policy so that …
I always thought it was a balancing act that Google always got wrong.
Their 90 day deadline was all too strict, let alone the early notification if the patch was released early. There were several times where the 90 days couldn't be held to, because the normal patch cycle was on day 92 - 100, but Google still released the details, including full exploit code on day 90.
Even if the release on day 90 occurs, the users still have to patch. The bad guys could investigate the patch and try and work out what had been fixed, but with Google, they had a head start, because the exploit wasn't only explained, a useful proof of concept was handed to them on a plate.
I was always for Google informing the public about the need to patch as soon as the patch was released, but that they should hold off on the deep details and the PoC code until users had had a chance to patch their software. E.g. release an overview of the security problem on day 90, wait a week or 2 for users to patch, then release the PoC and details of the exploit.
The problem is, whilst this is the responsible way to do things, it isn't as headline grabbing as dumping the full details on day one. By day 10, when the details would be released, people have already become bored with the topic and have moved onto something new.
"Your users are now in a race to update their systems before the hole is exploited by miscreants using the web giant's exploit. If your patch doesn't fully work, your users are now left completely vulnerable while hackers can play merry havoc with your busted code as you scramble to emit a followup update."
No, not at all. Once the patch is released, its downloaded by the people writing malware. At this point, they know exactly what was broken and if the fix didn't actually fix it, for them nothing changes.
This is for complicated bugs, like Microsoft writes, where you have to re-design the entire application from the ground up, in order to eliminate the bug(s).
At least this makes malware authors work harder.
There is no upside for full disclosure at the same time as patch release, so waiting the full 90 days makes sense even if some more clueful malware writers might disassemble the code and reverse engineer the bug before that time.
There is a better option, don't create buggy shitty code that you have no idea what it's doing in the first place, too few 'what ifs' are asked in these situations, testing is lacking
Yes programming is hard and complex, but so is brain surgery, yet the harm that can be done by a programmer probably surpasses anything a brain surgeon might achieve through negligence
Unfortunately, in the internet age, sneezing at the screen and declaring it a working program, and then releasing it for public consumption, is all too common
We only have to look at the huge number of patches M$ releases, and even then they never get it right and end up creating yet more bugs, they should just give up and do the world a favour, SAAS is simply one giant rolling turd, attempting to collect some glitter along its journey
The whole development cycle is one giant clusterfuck
I kid you not, I received no less than 3 updates in the space of 1 week, for Outlook on iOS, and it still shits the bed daily
The idea is great and I fully agree with you ..... unfortunately the company that spends the time and effort to write decent, secure code will always be second to release their product (by several months) and the opposition has already cornered the lions share of the market.
Unless companies get their product out at the 'Speed of the Internet' then they quickly become ex-companies.
I do though wish that would could be given the time to write good product.
By several months? You are optimistic. If you want to ensure it is 100% bug free before release, you'll be years behind the curve.
I'd guess Windows 95 would be about ready for release now, having been recoded a dozen times because of new situations and new attack vectors that have been discovered over the years.
Imagine this Pussies Galore scenario: Project Zero privately informs you that their President Trump Make America Great Again application has a security hole in it ...... which every man, woman and child and their dogs can both exploit and be exploited from.
What would that make Google? Friend or Foe? Enemy Combatant or Beacon of Pathfinder Light? Or does IT make them both, and all four, and something else quite totally different too in the Quantum Sector where a bit of this is also a bit of that and together a bit of something else quite unexpected and novel and disruptive even while being engagingly creative and attractively addictive.
What's the bounty for plugging that sorry mess of a security hole? Be realistic now please, for such is the price to be asked for and paid in order to try and effectively right those sorts of wrongs. One can certainly guarantee no more than that, although that will not stop many a useless army of useful fools rushing in to magnificently prove the point.
And can you imagine the alternative gargantuan price of failure to put in an adequate fix against a Western Capital Systems Crash and Flash Market Collapse?
Friend or Foe? Enemy Combatant or Beacon of Pathfinder Light? ... and together a bit of something else quite unexpected and novel and disruptive ...
You must not be looking at the same Google. I haven't seen anything innovative from them in years.
You must not be looking at the same Google. I haven't seen anything innovative from them in years. ..... Psmo
Some would suggest that be slippery of Google, whilst others would prefer the word, stealthy, Psmo.
Goodness knows what the Alphabet crowd are doing ...... but you certainly were warned over a decade ago things would not be normal .......
“Google is not a conventional company. We do not intend to become one.” .... Larry and Sergey
And you wouldn't easily believe what warranted the following reply from one of their experimental divisions .......
Hello,Thank you for your interest in DeepMind.
We endeavour to review every application we receive, however, due to the volume of applications we unfortunately aren't able to reply to everyone. We will be in touch if our current vacancies might be a match.
Thank you again,
The DeepMind Team
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
