Google's security team redefines "responsibility"
Google's security team has reopened the discussion about the correct and responsible way of disclosing security holes. The team suggests that researchers should be allowed to give software vendors a 60-day deadline for providing a patch.
Until now, Microsoft has claimed the authority to define the meaning of "responsible disclosure". According to their definition, a responsible disclosure involves notifying the vendor of a security hole and then waiting until the vendor provides a patch. In some cases, this approach has resulted in vendors like Microsoft taking more than a year to fix an issue. Those who have refused to play by these rules have been regarded as irresponsible and soon labelled as the baddies who unnecessarily subject users to threats.
This was recently the case with Tavis Ormandy, a member of Google's security team who co-authored the blog post. After discovering a critical hole in the help system of Windows, he negotiated with Microsoft for several days without a mutually satisfactory result. When Microsoft didn't want to commit to a release date, he simply made all the details – including a demo exploit – available online. Before Microsoft could respond, attackers actively exploited the vulnerability. This increased the pressure on Microsoft to such a degree that the vendor released a patch to close the hole after 34 days.
From now on Google's security team explicitly intends to support this approach. As part of the responsible disclosure policy, security experts are to be permitted to place "a disclosure deadline on any serious vulnerability they report". The Google team say that if a software vendor refuses to cooperate or fails to provide a patch within a reasonable time frame, it's legitimate to disclose the security hole. 60 days is suggested by Google as a "reasonable upper bound" for patching a genuinely critical issue in widely deployed software.
Google's researchers say they recognise that they themselves have sometimes been unable to meet these requirements, but that they expect to be held to the same standards from now on. The researchers say putting pressure on software vendors will result in "smaller windows of opportunity for black hats to abuse vulnerabilities" and will ultimately improve the security of all internet users.
- Microsoft vulnerabilities: full disclosure and no disclosure, a report from The H.