'

Google to give devs more time to fix flaws before revealing them

Google to give devs more time to fix flaws before revealing them.

Google to give devs more time to fix flaws before revealing them.

Google to give devs more time to fix flaws before revealing them

 

Google's "Project Zero" is a project which is designed to bolster internet security where if Google finds a Security flaws it informs the developers and then gives them 90 days to fix it before going public with the security flaw. Now after a public backlash from several developers, Google is extending the deadline.

While the 90 day deadline is still in affect, if a developer tells Google that they are in the process of making the patch was the deadline gets closer a 14 day extension is then added to the deadline before going public with the security flaw. One other change that will also be present is that if a deadline is due to expire on a weekend or a public holiday, the deadline will be moved to the next working day.

  

Google to give devs more time to fix flaws before revealing them.  

Here is what Google have had to say about the success f Project Zero;

 

"To date, they have fixed 37 Project Zero vulnerabilities (or 100%) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85% were fixed within 90 days. Restrict this to the 73 issues filed and fixed after Oct 1st, 2014, and 95% were fixed within 90 days. Furthermore, recent well-discusseddeadlinemisses were typically fixed very quickly after 90 days."

 

Google have said that under extreme circumstances that Google will reserve the right to move the date of Project Zero deadlines, but say that they will treat all vendors equally.

Google themselves are also being held to their own standards as they say that Google products, like their Chrome web browser and Android will have to abide by the same deadline policy. 

 

You can join the discussion on Google's deadline extension on "Project Zero" on the OC3D Forums.

 

«Prev 1 Next»

Most Recent Comments

16-02-2015, 14:16:19

remember300
Thats good but 90 days is too long... depending on the breach or access.
If it was say paypal allowing a peer to view all information that should be instant
maybe not tell everyone right away, but say it must become public knowledge in 2 weeks solved or not.Quote

16-02-2015, 14:54:42

ImprovizoR
90 days is enough. Unleash the chaos. If that's what it takes for these tech companies to start behaving responsibly. Most people just ignore the fact that these giant tech companies are supposed to be among the most responsible companies in the world. Think about just how much of our sensitive data relies on their services. They absolutely must be held responsible for any and all security flaws or god-forbid hacks. If outing those security flaws urges them to fix their , then I fully support it.Quote

16-02-2015, 15:04:25

barnsley
Quote:
Originally Posted by ImprovizoR View Post
90 days is enough. Unleash the chaos. If that's what it takes for these tech companies to start behaving responsibly. Most people just ignore the fact that these giant tech companies are supposed to be among the most responsible companies in the world. Think about just how much of our sensitive data relies on their services. They absolutely must be held responsible for any and all security flaws or god-forbid hacks. If outing those security flaws urges them to fix their , then I fully support it.
And releasing said exploits into the wild before they are patched is a good thing? What if said issue is something so complex it can't be fixed in the full 90+14 days? Not to mention that not everyone will patch their computers come update time. By making an exploit public, you're giving everyone and their mum an idea of what the exploit is and how they can use it.

I don't want Script Kiddies effing with my stuff.

My biggest issue is the whole thing is coming from Google. Who still don't fix crap on android and instead leave it to OEMs to fix it.Quote

16-02-2015, 15:34:36

NeverBackDown
Quote:
Originally Posted by barnsley View Post
My biggest issue is the whole thing is coming from Google. Who still don't fix crap on android and instead leave it to OEMs to fix it.
We all know you prefer IOS. No need to flame andriod and start something. Google do a good job. It's hard to maintain pretty much the number one used search engine... also there are so many andriod phones and variants it is also equally as difficult to fix bugs. Sure they could do better but by no means they "don't fix crap".. they actually try, hence this whole project.Quote

16-02-2015, 16:05:51

barnsley
Quote:
Originally Posted by NeverBackDown View Post
We all know you prefer IOS. No need to flame andriod and start something. Google do a good job. It's hard to maintain pretty much the number one used search engine... also there are so many andriod phones and variants it is also equally as difficult to fix bugs. Sure they could do better but by no means they "don't fix crap".. they actually try, hence this whole project.
http://arstechnica.com/security/2015...ndroid-phones/
Oh boy they sure do try. While I understand it would be up to the OEM's to push the update out to the individual phones once the patch is made by google, they did actually fix one problem in the past which was the heartbleed bug. Instead they have left it to OEMs, who would rather you buy a new phone. Heck I'll give Google credit, they did used to fix some issues with 4.3 and then left it to OEMS to send out the patches (which they didn't).
Would you want Asus, AMD et al be left in charge of windows update because microsoft are too busy putting out the next version of windows?

Google security research is a project aimed at other people, not really specifically (or much at all) android.

Contrary to your belief, I actually prefer windows phone. why? Its an example of a well written OS that is secure but has customization and can support a decent range of hardware. Its a shame not many people have one, as it is pretty much everything what a modern smart phone should be.

We could go back and forth and accuse each other of favoritism of certain companies all day anyway but this isn't the place.

-edit- Before I hear something about android being open source and that because of that,it somehow excludes it from support I suggest you look up what linux does/is.Quote
Reply
x

Register for the OC3D Newsletter

Subscribing to the OC3D newsletter will keep you up-to-date on the latest technology reviews, competitions and goings-on at Overclock3D. We won't share your email address with ANYONE, and we will only email you with updates on site news, reviews, and competitions and you can unsubscribe easily at any time.

Simply enter your name and email address into the box below and be sure to click on the links in the confirmation emails that will arrive in your e-mail shortly after to complete the registration.

If you run into any problems, just drop us a message on the forums.