Google Stops Playing Hardball With Exploit Disclosures, Offers 14-Day Grace Period For Patches

Google has been hitting tech companies with a few right hooks in recent months with regards to zero day exploits. As a part of Google’s “Project Zero” program, its security researchers discover security vulnerabilities in software products, and report its findings to the vendor. The vendor has 90 days from the time of first disclosure to patch the problem, or Google goes public with the full details of the exploit. At that point, anyone can pour over the details to take advantage of the exploit.

Google busted Microsoft’s chops in early January when it failed to adhere to Google’s 90-day window by disclosing a vulnerability that allowed non-administrator account to escalate their privileges to gain administrator rights. Microsoft wasn’t happy at all about the disclosure, and was particularly miffed because it had specifically told Google that a patch was baking in the oven and would be delivered on January 13 — less than two weeks after Google threw a sucker punch.

“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result,” warned Chris Betz, Senior Director for Microsoft’s Trustworthy Computing division. “We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon.”

Windows Server 2012

Google was unfettered by Microsoft’s pleas and disclosed two more Windows vulnerabilities later that month. And for good measure, Google also targeted Apple by disclosing three vulnerabilities in OS X.

Well it appears that Google has finally gotten the hint, and is backing down a bit from its firm stance on disclosing zero day vulnerabilities. Google announced today via its Project Zero blog that if the original 90-day window expires, it would now give companies a 14-day grace period if they agree to release a patch to fix the vulnerability during that time. This grace period would have protected Microsoft from the elevation-of-privileges vulnerability that was disclosed in early January.

Google goes on to note, “Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).” In addition, Google has taken steps to give companies a break if a disclosure deadline falls on a weekend or a U.S. public holiday. In that case, “the deadline will be moved to the next normal work day.”

For its part, Microsoft said that these changes are a step in the right direction, but are still somewhat misguided. "While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies," said Betz in a statement to ComputerWorld. “When finders release proof-of-concept exploit code, or other information publicly before a solution is in place, the risk of attacks against customers goes up."

It looks like the war of words between Google and Microsoft will continue, even with this relaxation of Google’s Project Zero disclosure policy.