Pages

Sunday, 15 February 2015

Google Relaxes Deadline For Revealing Leaks


Google has the deadline that applies to vulnerabilities to reveal something more flexible in the products of other software companies. Since last year, the search giant puts a team of hackers called Project Zero that is actively looking for vulnerabilities in widely used programs.

Once a vulnerability is found getting the informed supplier 90 days to come up with a patch, otherwise Google will automatically reveal the details. Much to the annoyance of Microsoft, which in one case after 92 days came with an update.The software giant Google had asked for the details after the release of the update to disclose, but no reply was given.Therefore users would have run unnecessary risks.

Now, Google announced that it will somewhat lenient policy. If a deadline expires on a weekend or US holidays, the deadline for the next working day will be postponed. In addition, there is a grace period of 14 days. If the deadline of 90 days expires but the supplier in the next 14 days say they come with an update, the details will appear only after the release of the patch.

"The publication of a non-issue patches will now only take place if the deadline is missed more than two weeks," said Chris Evans of the Project Zero team. The new rules apply not only to the research team at Google, but for all the parts and members of the search giant who discover vulnerabilities in software from other parties.

Despite criticism from some parties that the deadline is certainly successful, suggests Evans. Most vulnerabilities Project Zero discovered were found in Adobe Flash Player. All 37 reported vulnerabilities in Adobe were patched within the deadline of 90 days. In total discovered Project Zero 154 vulnerabilities, of which 85% were resolved within the deadline.

In the case of the 73 leaks that were reported to suppliers after October 1, 2014 even it comes to 95%. And as it looks now, there will be no missed deadlines in February. "Deadlines seem to work to improve the patch time and safety for users, especially if they are consistently maintained," Evans says.

No comments:

Post a Comment