Google feels it is exposing security vulnerabilities very quickly

Google feels it is exposing security vulnerabilities very quickly

Google will take a moment to talk about security breaches. Objective: To leave enough time for the patch to spread to the public.

It is good to detect system vulnerabilities. It is better to allow enough time to fix them. In a sense, this is the general principle that Google will determine in the future as part of its “project zero”. In one Website Shared April 15, 2021, the net company has now unveiled how it intends to disclose the vulnerabilities it finds in the software.

The message is important because the “Project Zero” initiative is one of the most important in the cyber security arena. Founded in 2014 by an American company that specializes in detecting critical vulnerabilities in computer programs, specifically called vulnerabilities. 0 day, I.e., undocumented or unidentified.

Informal symbols denoting Meltdown and Specter. If these little designs are beautiful, the flaws they raise will be minimal.

To the extent that its members are sometimes regarded as a “dream team”, it has built a great reputation for itself: it was at the age of 22, one of the first to discover two flaws that affected almost all processors. , Meltdown and Specter. She also contributed To protect the iPhone, Windows, Linux, CloudFlare, Apple, LostPass, DashLane, TrueCrypt or Beyond Shell Bash

These findings, which have sometimes arisen in the tech world, are sometimes controversial: in fact, “Project Zero” uses the principle of exposing flaws that have not been disclosed for 90 days, except for its software. Allocated – This is when the count starts. Then, after 90 days, a release is made.

Google Project Zero gives companies 90 days to fix the flaw, before talking about it on their blog, by computer security experts, but by more complex profiles. In fact, it is unlikely that cybercriminals will document themselves as researchers by reading reports of vulnerabilities. And they capitalize on known errors To conduct their attacks.

See also  Eurozone suffers report financial contraction – are living updates

However, doing these things has caused some friction with third-party companies, which may think that they have full engineers, including companies, who may be mobilized to intervene in a critical shortcoming that has now been announced. We had this kind of interaction with Microsoft and Windows 10S. In another fashion, there was Apple Disagreement with this 90 day period.

To set aside time for updates, we have one more month of silence

This structure changes at least part of it. In fact, the committee plans to allow an additional 30 days so that the adoption of safety patches is done without risk to the public. Clearly, this extra month should be time for the link to spread. In principle, after these 30 days, it should be generalized so that we can talk about it without much risk.

While not a groundbreaking contribution to the genre, Breaking Bad impresses with its straightforward tough-guy style. However, Google claims that only companies that respect the 90-day framework are eligible for this additional window. It is still possible for businesses to have an additional 14 days beyond this 90-day period.

A hacker, working in the dark, with a hood over his head, late at night, because of course it was like that. // Source: Louis Audrey for Arithmetic

This 30-day window also applies to vulnerabilities known to be actively exploited by malicious third parties. In this case, for obvious reasons, Google will not use the 90-day deadline, but only 7, which is likely to extend it by another 3 days. In fact, in situations like this, companies are expected to intervene urgently.

« This 90 + 30 policy gives companies more time than our current policy because moving straight to the 60 + 30 (or similar) policy can be very steep and confusing. We like to choose a starting point that most vendors will continue to meet, and then gradually reduce to creating and following patches. Google writes.

See also  Massive cyber attack on US: Washington blames Russia

In other words, we have not yet heard of the deadline for wanting to protect “Project Zero” technology.

Photo credit of someone:
EFF

Share on social media

Continuation in the video

You May Also Like

About the Author: Cory Weinberg

Cory Weinberg covers the intersection of tech and cities. That means digging into how startups and big tech companies are trying to reshape real estate, transportation, urban planning, and travel. Previously, he reported on Bay Area housing and commercial real estate for the San Francisco Business Times. He received a "best young journalist" award from the National Association of Real Estate Editors.

Leave a Reply

Your email address will not be published. Required fields are marked *