Google Backsteps a Bit on Its Security Disclosure Policy

Posted on January 8, 2020 by Paul Thurrott in Google, Microsoft with 5 Comments

Google Reveals Another Microsoft Vulnerability Before Its Fixed

Google has made minor but crucial changes to its security disclosure policy after years of complaints from rivals.

“We’re very happy with how well our disclosure policy has worked over the past five years,” Google’s Tim Willis claims. “In saying that … we often receive feedback from vendors [about] things they want us to change … and we have decided to make some changes to our vulnerability disclosure policy in 2020.”

(He gets to that in a far more complex and hard-to-decipher way, so I’ve edited it down to the parts that matter.)

There are a few changes, none of which look major at first, but all are important.

First, while Google is retaining its 90-day disclosure policy, it will no longer disclose security vulnerabilities when they are fixed within that window. Instead, they will wait the entire 90 days, regardless of when bugs are fixed.

Second, Google will actually work with other firms for the first time so that disclosures can occur at the same time that the other firm is ready to explain what happened and what they did to fix this.

Microsoft, in particular, has complained about both of these problems (for example, here and here), and they have likewise complained—many times—when Google simply disclosed vulnerabilities regardless of the availability of fixes. This endangers the company’s customers, Microsoft has argued. And Microsoft has even retaliated by pointing out vulnerabilities that Google hasn’t fixed quickly.

Despite the obvious harm, Google still disagrees.

“Some vendors hold the view that our disclosures prior to significant patch adoption are harmful,” Willis continues. “Though we disagree, under this new policy, we expect that vendors with this view will be incentivized to patch faster, as faster patches will allow them ‘additional time’ for patch adoption.”

Google also argues that its policy has resulted in faster patch development and deployment, making zero-day exploits more costly. And it claims great success, noting that “some issues” needed up to 6 months to fix, whereas 97.7 percent of its issues are now fixed under the 90-day deadline.

Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (5)

5 responses to “Google Backsteps a Bit on Its Security Disclosure Policy”

  1. jwpear

    I've never worked for a company the size of a Google or Microsoft, so I can only imagine the work load and size of the teams they have. They may very well have the bandwidth to analyze, fix, test, and prepare documentation and deployment packages for security issues. But based on my experience, 90 days seems like a short amount of time to do that if the vulnerability lies in complex code or features. It's somewhat arbitrary, but 120 days seems like a better mark to hit.

    This still just feels like Google slinging mud to make others look bad under the guise of protecting the world.

    If I were Microsoft and others, I'd be hitting Google hard on its privacy and tracking issues. And you better believe I'd be calling them out on their security vulnerabilities.

  2. lvthunder

    Yeah because putting an artificial deadline leads to bug free patches. I know when I'm in a hurry that's when I make the most mistakes.

    These people are so arrogant that they think everyone should jump when they say jump. Personally I don't think they need to disclose the problems to the public at all. All that does is inflate Google's ego and put people's devices at risk.

  3. anoldamigauser

    So what they are saying is, "We will still be arrogant dicks, just smaller ones."

  4. nbplopes

    This Google initiative is going on for years. Instead of winning about it why doesn't MS and other really Big companies (Apple, Amazon, IBM, who knows) implements the same kind of initiative if not better?

    I mean this not within the spirit of retaliation, which is just another dumb move, but indeed within the spirit of improving overall Internet security, not only of their systems but of the all Internet which includes other vendors systems. This would for sure make the Internet more secure. If the one who can, also followed suit this issue could be mitigated.

    Inline the role of the Public Sector, providing security to citizens in our streets and roads, probably this should also be done by them. Yet, Internet is governed by different rules, more driven by the Private Sector. Google realizes this and takes this on board.

    Yes, there are side effects that may come with other risks. But I believe this comes mainly from just being one company, case in case Google, at the forefront of this initiative.

    Further more, probably it should be the Public Sector setting the timings not the private. Has person that enjoys and defends democracy, I feel that our freedoms and security should not be in the hands of the Private Sector, with their own private agendas, but in the hands of people that I choose to be represented through democratic processes rather than with the wallet (capitalistic processes). I mean, we don't need to operate, but definitely regulate and policy it.

    Soon, we will have automatic cars, automatic cameras ... all driven by the Private Sector, non transparent surveillance squads guided non regulated policies in our streets. The Public Sector needs to deal move on from bricks and mortar way of thinking to the digital way of thinking. Heck, we have managed to regulate air traffic, we need to do the same with digital. Why when it comes to the Internet its seams that common sense stops. The Internet is no longer new thing.

    In the end of the day, what happened to Facebook within the context of the Cambridge Analytica scandal?

    Meanwhile the we are jumping in excitement about new Gadgets, smart speakers, smart cameras, smart cars so on and so forth, allowing organisations to come in and getting underneath the tapestry of all we do every single second ... what is the GDPR equivalent in the US?

    PS: I'm not a big fan of Google apart from what they do with Search. So this is not really an emotional observation. Just thinking about the problem with a global perspective, across multiple organizations.

  5. red.radar

    I think it’s great that google spends its company resources on making their competitors products better.