Google will take a moment to talk about security breaches. Objective: To leave enough time for the patch to spread to the public.
It is good to detect system vulnerabilities. It is better to allow enough time to fix them. In a sense, this is the general principle that Google will determine in the future as part of its “project zero”. In one Website Shared April 15, 2021, the net company has now unveiled how it intends to disclose the vulnerabilities it finds in the software.
The message is important because the “Project Zero” initiative is one of the most important in the cyber security arena. Founded in 2014 by an American company that specializes in detecting critical vulnerabilities in computer programs, specifically called vulnerabilities. 0 day, I.e., undocumented or unidentified.
To the extent that its members are sometimes regarded as a “dream team”, it has built a great reputation for itself: it was at the age of 22, one of the first to discover two flaws that affected almost all processors. , Meltdown and Specter. She also contributed To protect the iPhone, Windows, Linux, CloudFlare, Apple, LostPass, DashLane, TrueCrypt or Beyond Shell Bash
These findings, which have sometimes arisen in the tech world, are sometimes controversial: in fact, “Project Zero” uses the principle of exposing flaws that have not been disclosed for 90 days, except for its software. Allocated – This is when the count starts. Then, after 90 days, a release is made.
Google Project Zero gives companies 90 days to fix the flaw, before talking about it on their blog, by computer security experts, but by more complex profiles. In fact, it is unlikely that cybercriminals will document themselves as researchers by reading reports of vulnerabilities. And they capitalize on known errors To conduct their attacks.
However, doing these things has caused some friction with third-party companies, which may think that they have full engineers, including companies, who may be mobilized to intervene in a critical shortcoming that has now been announced. We had this kind of interaction with Microsoft and Windows 10S. In another fashion, there was Apple Disagreement with this 90 day period.
To set aside time for updates, we have one more month of silence
This structure changes at least part of it. In fact, the committee plans to allow an additional 30 days so that the adoption of safety patches is done without risk to the public. Clearly, this extra month should be time for the link to spread. In principle, after these 30 days, it should be generalized so that we can talk about it without much risk.
While not a groundbreaking contribution to the genre, Breaking Bad impresses with its straightforward tough-guy style. However, Google claims that only companies that respect the 90-day framework are eligible for this additional window. It is still possible for businesses to have an additional 14 days beyond this 90-day period.
This 30-day window also applies to vulnerabilities known to be actively exploited by malicious third parties. In this case, for obvious reasons, Google will not use the 90-day deadline, but only 7, which is likely to extend it by another 3 days. In fact, in situations like this, companies are expected to intervene urgently.
« This 90 + 30 policy gives companies more time than our current policy because moving straight to the 60 + 30 (or similar) policy can be very steep and confusing. We like to choose a starting point that most vendors will continue to meet, and then gradually reduce to creating and following patches. Google writes.
In other words, we have not yet heard of the deadline for wanting to protect “Project Zero” technology.
Continuation in the video