The recommended approach for disclosing software security vulnerabilities is a point of contention among many researchers and the companies they work for or police, with some claiming that public disclosures are essential for helping those affected take preventative steps and others claiming that doing so merely alerts hackers of new attack vectors.
Google security engineers Chris Evans and Drew Hintz recently added to the discussion with a blog post recommending researchers publish their findings within seven days of discovering a vulnerability under active exploit. Such an approach is intended to speed up attack responses, which can be slow to arrive in many cases.
For zero-day vulnerabilities that are not being actively exploited, security advocates such as Google’s engineers recommend companies fix critical issues or offer a workaround within 60 days. If it takes longer than 60 days for the manufacturer to respond appropriately, some experts advise researchers publish their findings in the hope of spurring the affected company to action and allowing members of the public to protect themselves.
If the vulnerability is already being exploited, however, the stakes are higher, as each day that it goes unpatched could mean more people attacked. Zero-day vulnerabilities are especially important to fix quickly, as they are more likely to be used in targeted attacks – especially against political targets – that can have far-reaching consequences, Evans and Hintz wrote. They justified their seven-day recommendation with this urgency, noting that Google will attempt to follow the same standard.
“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” they wrote. “As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.”
Determining the best disclosure strategy
Such a rapid timeline may create more of a problem than it solves, though, according to some security experts. Many companies will not be able to respond within seven days of a zero-day discovery, but hackers will, Yishay Yovel, vice president of cybersecurity firm Trusteer, told PCWorld. Even if a patch is released within seven days, hackers will likely go after any vulnerability that is detailed publicly.
“What we’re seeing in the marketplace is hackers targeting vulnerabilities that are two years old,” Yovel said. He added, “That’s because organizations often don’t patch. They just don’t get to it.”
On the other hand, researchers who wait to disclose vulnerabilities may find that the issue takes a long time for the vendor to address, PCWorld noted. Traditionally, researchers were expected to not disclose a vulnerability until the vendor had issued a fix. However, the result is often that no fix arrives.
A study released by Symantec last year found that the average zero-day flaw went unpatched for 10 months, with some remaining vulnerable for years. That type of scenario is why many suggest, as Google does, that researchers go public with their findings within a certain period of time.
Regardless of whether researchers choose to release details about the zero-day vulnerabilities they discover in a week, two months or never, vendors are best served by avoiding such software security issues altogether. With tools such as static analysis software, it is possible to catch errors before they are released, mitigating the possibility of having to handle a public disclosure or develop a patch within a seven-day window. While the debate about disclosure practices is likely to continue, those on both sides will point out that the best approach is to eliminate problems before they arise.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.