14 DAY TRIAL // In a post on the official Google Online Security Blog, members of the the company's security team, express concern about vendors who abuse the concept of responsible disclosure. As a result, a reasonable disclosure deadline of maximum 60 days since notifying the affected party is proposed for adoption by security researchers.
There's been a lot of talk over the years on the subject of “responsible disclosure” vs. “full disclosure” and which of them is the better approach to reporting vulnerabilities. It is generally accepted that if you're a security researcher you stand on one side of the barricade or the other.
Full disclosure is a model practiced by researchers who believe that making details about vulnerabilities public as soon as they are discovered, positively impacts the security of end-users because it forces vendors to react immediately and issue workarounds or patches faster. Full disclosure practitioners are generally perceived as rebels by the information security community.
Meanwhile, responsible disclosure is a philosophy which involves security researchers notifying vendors privately of vulnerabilities discovered in their products. In theory it allows both parties to work together towards the users' best interest. It is believed that by not making details public, cyber criminals are prevented from leveraging the flaw to attack people.
But this is not always the case, researchers Chris Evans, Eric Grosse, Neel Mehta, Matt Moore, Tavis Ormandy, Julien Tinnes and Michal Zalewski from Google's Security Team, claim. “We’ve seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers,” they warn.
To avoid such incidents, they advise other researchers to enforce a reasonable deadline for making details about vulnerabilities public. “[...] We believe that responsible disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software,” the Google Security Team members say.
Of course, this deadline should be flexible, depending on the typology of the reported bug. A design flaw is given as example of situations where more than 60 days would be required for a patch. On the other hand, where there is reason to believe that black hat hackers also have knowledge of the bug, a more aggressive deadline could be applied.
Finally, Google expresses its support for security researchers, who decide to go public and provide mitigation themselves when these deadlines are not respected. “We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts. […] In our opinion, this small tweak to the rules of engagement will result in greater overall safety for users of the Internet,” the Google's senior security researchers conclude.
You can follow the editor on Twitter @lconstantin