Tag Archive for: Revises

Google’s Project Zero revises vulnerability disclosure timelines to increase patch adoption

/in


NEW DELHI: Google’s cybersecurity division, Project Zero, has changed its disclosure policies today with the intent to “refocus on reducing the time it takes for vulnerabilities to get fixed”, in the industry right now. The Project Zero team, which deals with vulnerabilities in hardware and software systems, will report vulnerabilities earlier if a company hasn’t fixed the flaw in record time.

“Project Zero won’t share technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. The 30-day period is intended for user patch adoption,” the company said in a blog post.

The team used to provide a 90-day period after issuing a vulnerability report, followed by a 14-day grace period, before it published details of the vulnerability. Now, if an issue remains unpatched after the 90 days, Google will publish the details immediately. This is likely aimed at making users download patches quickly, once a company issues them.

Further, for vulnerabilities that are being actively exploited by hackers, Google will publish details immediately if the said issues remain unpatched after 7 days of reporting them. If the issue is fixed within the 7 days, then Google will wait 30 days before publishing the vulnerabilities. The company used to offer no grace period on such reports but will allow hardware and software vendors to request for an additional three-day grace period now.

The Project Zero team said the changes are aimed at shortening the time elapsed between a bug report and its patch being made available to users. It also wants to ensure “thorough patch development” and “improved patch adoption” once a patch is released by the affected vendor.

Google’s decision comes on the heels of a general increase in cybersecurity issues around the world last year. According to a March report from the Indian Computer Emergency Response Team (CERT-In), cyber security incidents in India grew from 3,94,499 in 2019 to 11,58,208 in 2020, which is a nearly 200% increase.

Subscribe to Mint Newsletters

* Enter a valid email

* Thank you for subscribing to our newsletter.

Source…

Google revises Project Zero’s Disclosure Policy to help improve zero-day vulnerability fixes

/in


Project Zero, Google’s dedicated team of security analysts, has made changes to its Disclosure Policy to help reduce the time it takes for vulnerabilities to get fixed. Henceforward the security group will not make the technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. According to the group, the extra days aim at user patch adoption.

Google Project Zero’s revised policy says that if an issue remains unpatched after 90 days, technical details are made public immediately. If the fix is plugged within the 90-day timeframe, it will publish the details 30 days after the fix is released. The team also gives a 14-day grace period. If both parties agree, vulnerabilities can be disclosed earlier as well.

ALSO READ: IBM uncovers more attacks against Covid-19 vaccine supply chain

In the case of zero-day vulnerability actively exploited in the wild, Project Zero will make the technical details public immediately if the issue remains unpatched after seven days. If the vendor has patched the issue within the stipulated time, technical details will be published 30 days after the fix. Vendors also have the option to request an additional 3-days grace period. Earlier, Google Project Zero did not give any grace period and made the details public after seven days of reporting regardless of when the bug is fixed.

The full list of changes for 2021

The full list of changes for 2021 (Google)

According to the revised Disclosure Policy, Google aims to reduce the time between reporting a bug and a fix rolled out to users. The policy aims to ensure comprehensive fixes. It also hopes it will reduce the time between a patch rollout and users adoption.

ALSO READ: 97% of organisations faced mobile malware attack in 2020: Checkpoint report

 

“This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive. Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines,” Google Project Zero further said.

Source…

Uber revises privacy policy, wants more data from users

/in

Uber Technologies is revising its privacy policy to allow it to access a rider’s location when its smartphone app is running in the background, and to send special offers to users’ friends and family.

Users will be in control in either case, and will be able to choose whether to share that data with the ride-hailing company, wrote Katherine Tassi, managing counsel of data privacy at Uber in a blog post Thursday.

The company has faced criticism in the past over how it handles sensitive information, particularly over its so-called ”God view” tool that apparently lets some Uber employees track the location of customers that have requested car service. U.S. Senator Al Franken wrote to Uber last year for information on its privacy policy, including on measures taken to limit access to the tool.

To read this article in full or to leave a comment, please click here

Network World Security

NIST Revises Federal Computer Security Guide – Signal Magazine

/in

NIST Revises Federal Computer Security Guide
Signal Magazine
The National Institute of Standards and Technology (NIST) has released the most comprehensive update to the government's computer security guide since 2005. The fourth revision of “Security and Privacy Controls for Federal information Systems and
NIST issues major revision of core computer security guide: SP 800-53EurekAlert (press release)

all 5 news articles »

“computer security” – read more