What is Google Project Zero
Google's Project Zero will post security vulnerabilities with a delay
Google's Project Zero is trying a new method to persuade software providers to fix security vulnerabilities more quickly, while at the same time giving end users time to install the updates. At first glance, the new approach seems absurd: The public should be informed later than before. But Google thought something about it.
Google's "Project Zero" team tracks down weaknesses and errors in Google's own software as well as in software developed by other companies. The security team forwards any security gaps found directly to the provider. The software authors then have 90 days to correct the errors. So far, Google has informed the public after 90 days. So far, Google has already published vulnerabilities actively exploited by attackers after seven days.
The new approach
In the case of not actively exploited vulnerabilities, Google continues to grant the authors 90 days for the time being. If they do not provide any patches by then, the public will be informed immediately. However, if there is a patch, Google waits 30 days from the availability of the update before publicly disclosing the vulnerability. So it can take up to 120 days for the public to get wind of it.
Software vendors can request an additional 14 days from Project Zero. Even then, the security team will go public after 120 days at the latest. The background to this is the fundamental question of who will benefit more from publications, users or attackers. The question is old and cannot be answered universally.
Shorter deadlines in acute danger
In the case of actively exploited security gaps, Google only grants the providers seven days. The software authors can apply for a three-day extension. If there is then no fix, Google immediately goes public.
However, if there is a fix within seven days, Google waits another 30 days. So it can take up to 37 days for Google to inform the public about actively exploited vulnerabilities.
Over time, Project Zero would like to gradually reduce the deadlines to encourage vendors to provide faster security updates. For example, 90 + 30 days could become 60 + 30 days. First, however, Project Zero will evaluate the effects of the new approach.
(ds)Read comments (5) Go to the homepage
Whether security gaps, viruses or Trojans - all security-relevant messages are available from heise Security
You can find detailed information on the dispatch procedure and your cancellation options in our data protection declaration.
- What's on your '90s country music playlist
- What does Lucifer look like
- The cosmetics industry is a big delusion
- Which diets should be viewed as eating disorders
- What is the cheapest type of mortgage
- What are some things taught in China
- What was Mesopotamia's capital
- Is a fish wet when it is underwater?
- Who were the evil pirates
- How do soap dispenser pumps work
- Has anyone tried reporting com for freelance work
- Why is valence always an integer?
- How reliable is The Daily Telegraph
- What is a circle of friends
- How are 2chan and 4chan different
- Have an AngularJS course
- How can nuclear power be applied to automobiles
- Did Arnold Schwarzenegger do cardio training
- Kevin Cooper was framed
- What was the heaviest missile ever fired
- How can brothers and sisters get along?
- Can you just shut up
- Why did ISIS hate the US
- Neuroscientist Believe in Substance Dualism