Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Advocates 7-Day Deadline For Vulnerability Disclosure

Posted by timothy on from the on-the-7th-day-you-can-rest dept.

Trailrunner7 writes "Two security engineers for Google say the company will now support researchers publicizing details of critical vulnerabilities under active exploitation just seven days after they've alerted a company. That new grace period leaves vendors dramatically less time to create and test a patch than the previously recommended 60-day disclosure deadline for the most serious security flaws. The goal, write Chris Evans and Drew Hintz, is to prompt vendors to more quickly seal, or at least publicly react to, critical vulnerabilities and reduce the number of attacks that proliferate because of unprotected software."

19 of 94 comments (clear)

  1. Sounds like a huge risk by anthony_greer · · Score: 4, Insightful

    What if a bug cant be fixed and systems patched in 7 days time? are they going to cut corners on something like testing?

    Going from bug report to design and code a fix, to test, to roll it out to the infrastructure in 5 working days seems like an impossible benchmark to sustain even with the super brainiacs working at google

    1. Re:Sounds like a huge risk by maxwell+demon · · Score: 2

      Testing? Isn't that what the customers are for? :-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:Sounds like a huge risk by slashmydots · · Score: 3, Insightful

      I'm a software programmer so I can honestly say if a company takes more than 7 days to issue a fix, they aren't good. Let's say there's a team of 20 programmers working on a huge piece of software like an ASP system on a website. If the 1-2 people responsible for the module hear about the problem like 4 days after it was reported, the boss seriously screwed up. That's a lack of communication in their company. A 30 minute delay for "there's cake in the breakroom" and 7+ day delay on "someone's hacking our website" means someone epically screwed up the importance of that e-mail getting relayed to the correct people.

      If the programmers can't read their own damn code that they wrote and figure out why the vulnerability happened, they should be fired. They obviously don't know their own code and didn't use comments or worse yet, they don't know what the command they're doing ACTUALLY do and that was the cause of the problem.

      Then if it takes more than 7 days to "publish" or "push" a new version of their software live, then the whole project was designed like it's 15 years ago. These days, you need urgent patches faster than that. Let the programmers who wrote the code do the testing so there's zero delay and then don't require some know-nothing 60-year old head of the department review all code before it goes live.

    3. Re:Sounds like a huge risk by SJHillman · · Score: 2

      I think you have a bug that inserts random "@" symbols into your text. You have 7 days to fix this before I tell the world!

    4. Re:Sounds like a huge risk by Anonymous Coward · · Score: 5, Informative

      We're talking about actively exploited critical vulnerabilities.
      Fix the hole now! You can make it pretty later.

    5. Re:Sounds like a huge risk by SJHillman · · Score: 2

      Are you taking into account testing time for software that may be used on thousands of different configurations? In my mind, that would account for the bulk of the time between notification of an exploit and release of a patch. Of course, this is only for critical exploits that are actively being used, so it's probably better to get out a fix that works for 60% of installs right away and then work on the patch that will work for 100% of installs.

    6. Re:Sounds like a huge risk by HockeyPuck · · Score: 3, Insightful

      so it's probably better to get out a fix that works for 60% of installs right away and then work on the patch that will work for 100% of installs.

      So you're willing to risk breaking 40% of your customer's installs? Are you willing to skip regression testing to make sure your fix breaks nothing else?

    7. Re:Sounds like a huge risk by Todd+Knarr · · Score: 2

      The response isn't necessarily to fix the bug. The response is to mitigate the risk due to the vulnerability. One way is to fix the bug that's behind it. Another is to change configurations or add additional layers to remove exposure due to the bug. For instance there was once a vulnerability in SSH caused by one particular authentication method. Since that method was rarely used and there were alternative ways of doing the same kind of authentication, the most popular immediate solution was to just disable that authentication method. 5 minutes to change a config file and restart sshd and you're done. I'm not sure they ever did fix the bug, and if they did it took at least weeks, but that didn't stop people from protecting themselves within a matter of hours after the problem was made public.

    8. Re:Sounds like a huge risk by Synerg1y · · Score: 2

      That's how you wind up with 5 more holes, no thanks.

    9. Re:Sounds like a huge risk by LordThyGod · · Score: 4, Funny

      We're talking about actively exploited critical vulnerabilities. Fix the hole now! You can make it pretty later.

      Yea, but I only do bugs once a month. On Tuesdays. I can't be bothered before then. Your problems may seem big, but I choose to do things my way, at my pace. Besides my inaction helps support a large secondary market for security appliances, IT support personnel and the like. We jeopardize an entire sector of the economy by undermining these people.

    10. Re:Sounds like a huge risk by Actually,+I+do+RTFA · · Score: 2

      I'm a software programmer so I can honestly say if a company takes more than 7 days to issue a fix, they aren't good.

      I doubt there is any company in the world you consider very good. Care to give me a couple. Bonus points if you do the lookups of "longest open critical issue" instead of making me prove they were over 7 days.

      A 30 minute delay for "there's cake in the breakroom" and 7+ day delay on "someone's hacking our website" means someone epically screwed up the importance of that e-mail getting relayed to the correct people.

      You think it's e-mail relaying? Someone's on vacation? Or working with 3 other people on the feature promised to a customer right away. Or a hundred other reasons why they cannot drop everything.

      If the programmers can't read their own damn code that they wrote and figure out why the vulnerability happened, they should be fired... they don't know what the command they're doing ACTUALLY do and that was the cause of the problem.

      Wow? So, the bug in the library everyone uses, or a flaw in the compiler, never happened to you? How long have you been programming? It can take a while to realize that the documentation got some subtle feature of the library you're using incorrect. And there's always that issue with documentation, once the libraries get big enough.

      Then if it takes more than 7 days to "publish" or "push" a new version of their software live, then the whole project was designed like it's 15 years ago. These days, you need urgent patches faster than that.

      It does depend on the software. You seem to think all software is written for the web, and runs on the servers. That's an easier solution (not trivial of course, and you have scale issues). But what if you have a Linux/OS X/Windows XP/Windows Vista/Windows 8 product? On tons of different hardware?

      Let the programmers who wrote the code do the testing so there's zero delay and then don't require some know-nothing 60-year old head of the department review all code before it goes live.

      Skip QA? Programmers who wrote the code test it? That might work if it's "this function has a buffer overwrite", and the fix is transparent to everyone, but what if the problem arose because the menus were confusing, and people were accidentally reformatting their drive? Are the programmers who thought it was fine in the first place really the best judge of the fix?

      Also, have you written an emergency patch? I have, 2 hours before the software went to QA for the final time (the ship deadline was on us, and QA decided new build/old build.) Hell yes, I talked through every line of code with another person.

      --
      Your ad here. Ask me how!
  2. Re:And when they get bitten in the ass? by h4rr4r · · Score: 4, Informative

    Why is there only one guy?

    How incompetent is the management an organization that does not have enough coverage to deal with those issues?

  3. Re:And when they get bitten in the ass? by anthony_greer · · Score: 3, Funny

    What we call incompetent, newly minted MBA drones call efficiency optimization.

  4. Re:And when they get bitten in the ass? by denpun · · Score: 5, Informative

    Seem like they recommending it only for "critical vulnerabilities under active exploitation". For vulnerabilities where exploits increase as each day passes because of non-disclosure, I would want quick notification.

    FTA and not quite in the summary:

    “Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds,” the two said in a blog post today. “We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action — within seven days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”

  5. Re:And when they get bitten in the ass? by fuzzyfuzzyfungus · · Score: 4, Insightful

    The big kicker is "under active exploitation". If no exploits are known in the wild, it's still necessary to light a fire under the vendor's ass(you can't assume that the flaw isn't just sitting in somebody's high-value-zero-day arsenal, or that it won't be discovered and exploited in the future); but there is a real argument in favor of trying to work with the vendor to get a proper fix in place before releasing the details, and more or less assuring that every dumb script kiddie can implement the attack if they want.

    If something is already 'under active exploitation', though, the cat is already out of the bag, and the choice isn't really in your hands anymore. The clock already started ticking. Whether you like it or not, every hour it goes unfixed is more room for more attacks. Keeping quiet about it harms the ability of end users to take protective action, and really only helps the vendor save face, which isn't a terribly valuable feature.

    Now, I don't doubt that Google's 'webapps and silent autoupdaters' style gives them a certain self-interested enthusiasm(compared to vendors who cater to much more sedate patch cycles) for fast disclosure; but, again, 'under active exploitation' is the phrase that makes their position(however self-interested) merely realistic. If you know that team black hat already knows about it, you don't really get to choose when it is disclosed, since that has already happened. You only get to choose how slow you make the vendor look.

  6. Re:And when they get bitten in the ass? by fuzzyfuzzyfungus · · Score: 4, Interesting

    Seem like they recommending it only for "critical vulnerabilities under active exploitation".

    Honestly, I'm a bit surprised that they offer even seven days of cover for vulnerabilities with detected exploits. I can certainly see the wisdom of the "Please, don't release 'proof of concept exploit toolkit, not for use for evil' ten minutes after emailing the vendor about the problem..." appeal; but I'd be inclined to report the discovery of an active exploit immediately, as being a noteworthy event in itself.

  7. App approval by EmperorOfCanada · · Score: 3, Insightful

    If one hour ago I was notified of a flaw in my app, and 59 minutes ago I fixed it, and 58 minutes ago I submitted it for approval it could easily be a week before it get approved.

    I would say that after a week they should notify that there is a flaw, but not what the flaw is. Then maybe after 30 days release the kraken (exploitable flaw that is).

    Let's say they discover a pacemaker flaw where a simple android app could be cobbled together to give pacemaker people nearby fatal heart attacks. If they release that in a week then they are vile human beings.

    Most companies do seem pretty slothful in fixing these things but pushing for a company to process the flaw, analyze the flaw, find a solution, assign the workers, fix it, test it, and deploy it in under a week seems pretty extreme.

  8. Re:And when they get bitten in the ass? by h4rr4r · · Score: 2

    I disagree.
    What would they do if the one dev died?
    Then likely even 60 days would not be enough to get his replacement up to speed.

    Any company that has employees it cannot lose deserves this.

  9. Re:And when they get bitten in the ass? by TemporalBeing · · Score: 2

    The big kicker is "under active exploitation". If no exploits are known in the wild, it's still necessary to light a fire under the vendor's ass(you can't assume that the flaw isn't just sitting in somebody's high-value-zero-day arsenal, or that it won't be discovered and exploited in the future); but there is a real argument in favor of trying to work with the vendor to get a proper fix in place before releasing the details, and more or less assuring that every dumb script kiddie can implement the attack if they want.

    And yet Microsoft's policy is that unless it is "under active exploitation" they won't necessarily fix it. They get lots of notices about potential exploits, but don't fix them, even likely high targets, until someone exploits them - which, by then, is really too late.

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)