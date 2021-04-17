



Googles Project Zero on Thursday said it would not share the technical details of the vulnerability for 30 days if the vendor applied the patch before the 90-day or 7-day deadline set by Google.

In a public post, Project Zero said it should help drive user patch adoption for 30 days. We are changing our disclosure policy to focus on reducing the time it takes to fix vulnerabilities and improving current industry benchmarks for disclosure time periods. Google writes that it will change with the release of technical details.

Security researchers praised Google for their hard work in improving the vulnerability disclosure initiative.

Yaniv Bar-Dayan, co-founder and CEO of VulcanCyber, said that many other vendors and corporate information security organizations have unacceptable heads with a sand approach and hope to eliminate the vulnerability. Stated. Maximum transparency is always ideal, but real security is not that easy. We hope that the cybersecurity industry will begin handling vulnerabilities with the urgency that Google envisions in its new Project Zero disclosure policy.

Bar-Dayan said that repairing vulnerabilities is a continuous balance between available resources and business priorities, security and IT objectives, potential business impacts and specific business implications. He added that he needed to understand the risks of the vulnerability.

According to Bar-Dayan, the time between disclosure of a vulnerability and exploitation of the vulnerability is continuously shortened, and a malicious person does not wait for a good person to take action. Enterprise security and IT organizations need to follow Google’s initiative to tidy up and modify their own cyber sanitary facilities.

Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic Centrify, added that publishing tends to set the stage for creating exploits for vulnerabilities that can cause major problems for customers. However, not all vulnerabilities are the same, so responsible disclosure should be based on actual risks, not just actual vulnerabilities, he said.

Carson says he sometimes focuses too much on vendors rather than customers. Responsible disclosure aims to mitigate risk by exposing the vulnerability to customers to recognize that it exists, applying enhancements to mitigate the risk, or applying vendor patches. Should prioritize notifying customers of vulnerabilities in. Systems that are difficult to patch should also be taken into account. Even if publicly disclosed vulnerabilities are disclosed, most systems are much longer unpatched and even last for years.

