Google suggests 60-day limit on responsible disclosure
By Nicole Kobie
Posted on 21 Jul 2010 at 10:22
Google has called for new "rules of engagement" on responsible disclosure, after one of its own researchers courted controversy by publically revealing a Microsoft flaw.
Google employee Tavis Ormandy last month released details of a vulnerability in Windows Support, only a few days after alerting Microsoft, saying he had no response from the software giant and was looking to spur them to action. His move drew criticism from across the web, while Microsoft patched the flaw last week.
The emotionally loaded name suggests that it is the most responsible way to conduct vulnerability research
Ormandy was one of seven members of the Google security team contributing to a blog post calling for a new look at responsible disclosure and deadlines on firms to sort out flaws.
Google said resonsible disclosure - alerting companies to flaws before taking them public - is not necessarily always more "responsible" than full disclosure, which is publishing the vulnerability without warning.
"The emotionally loaded name suggests that it is the most responsible way to conduct vulnerability research - but if we define being responsible as doing whatever it best takes to make end users safer, we will find a disconnect," the post noted.
"We’ve seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," it added.
60 days to disclosure
Calling for software vendors to act responsibly too, Google said most critical bugs could be fixed within 60 days. "In our opinion, this small tweak to the rules of engagement will result in greater overall safety for users of the internet," the post said.
Google said its own security researchers find flaws in software from "a variety of vendors", and will support them if they publish flaws after giving companies a fair deadline to deal with the issue. It also said some flaws will need more "aggressive" deadlines if hackers are already aware of them.
The web giant admitted it would need to live by such rules itself, and had previously missed disclosure deadlines. In such cases, it's been "happy for publication to proceed, and grateful for the heads-up."
From around the web
People on Google Security blog don't understand cyber terrorism
It seems a lot of people on the Google Security blog don't even know what cyber terrorism is.
It is the act of posting a disclosure to change company or government policy, by way of cyber attacks created by the disclosure.
http://googleonlinesecurity.blogspot.com/2010/07/r
ebooting-responsible-disclosure-focus.html
---
Andrew Wallace
http://sites.google.com/site/n3td3v/
By n3td3v on 23 Jul 2010 
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
