‘Project Zero’ investigates the safety of various products and can disclose flaws that have not been corrected by the manufacturers.
Google announced a change in the deadlines practiced by “Project Zero”, its team of “hackers for good”. For the first time, Google will give users a 30-day period to install updates provided by developers after a vulnerability has been fixed.
“Project Zero” was formed by Google to sponsor the breach in relevant software from any company, including competitors such as Apple and Microsoft. The objective is to anticipate the discovery of flaws so that they can be corrected before criminals exploit them.
Since its creation, in 2014, Projeto Zero has had some friction with developers. Under the initiative’s rules, flaws not fixed within 90 days are publicly disclosed to pressure developers to release fixes.
This pressure on developers also puts users at risk. Experts have debated the merits of each choice for years – whether it is better to keep faults confidential or publicize them to inform users and embarrass software vendors.
In the case of the flaws that were corrected by the manufacturers, Google released the technical details of the problem and almost immediately after the solution was made available to users – even before the 90-day period had elapsed.
That is, the details were published within 90 days or after the fault was corrected, whichever came first.
It is in this situation that the new deadline set by Google enters. Now, information about the vulnerabilities will be retained for 30 days after the update or solution is made available, giving users and companies more time to apply patches to their systems.
Immediate disclosure of vulnerability data does not affect companies that operate primarily with online solutions – as is the case with Google itself. In these “cloud” solutions, any update tends to be applied immediately to all users.
But this is not the case for systems and applications installed on devices, such as Android, Windows or Chrome. The availability of technical data from a failure can allow criminals to exploit the breach to attack users who have not yet updated their software.
From now on, in the case of Project Zero, they will have a period of 30 days to download and install these updates.
Developers can request extensions
Since its creation, Google has been extending the deadlines practiced by Project Zero. Today, developers can request up to 14 days of extension for the 90-day term granted for normal failures.
Project Zero’s new policy provides for the possibility of extension to the so-called “zero-day” flaws – those that are found in real attacks, not in testing environments.
Google has another team of experts, called the Threat Analysis Group, or “TAG”, which is responsible for investigating ongoing attacks on the Internet. These investigations often find unprecedented attack codes, which can exploit unknown flaws.
In this case, as the vulnerability is already known to the criminals, Google gives the developer a deadline of just seven days to speak up and publish a solution. The details of the problem are released after the deadline, whether or not there is any way around the problem.
However, the new Google rule that gives users time to install updates also applies to these cases. Therefore, problems corrected within the seven-day period will be extended to 30 days for disclosure.
Developers can also request a three-day extension for these cases, giving a total of ten days for creating a “patch”.
In this way, the maximum disclosure period for flaws already explored jumps from 7 to up to 40 days: the initial seven days, plus three requested by the developer, plus 30 if a solution is published.