Google has outlined new research initiatives to improve the vulnerability management ecosystem, homing in on advocacy, transparency, software development and good faith research.
The "Real Story"
While zero day vulnerabilities get the headlines, it’s the remaining risks that make the “real story,” Google head of security policy Charley Snyder wrote in a blog post. The risks span lag time in OEM adoption, patch testing pain points, user updates and other issues, he said.
“Today it seems like the community is caught in the same cycle when it comes to security vulnerabilities — a vulnerability is found, patched and then another pops up — rinse and repeat. Managing risk from vulnerabilities and the stakes for society are too high for incremental improvements,” Snyder said.
What Google Recommends
In a new white paper Google is proposing four initiatives to address these risks:
- Greater transparency from vendors and governments in vulnerability exploitation and patch adoption will help the community diagnose whether current approaches are working.
- More attention on friction points throughout the vulnerability lifecycle ensures risks to users are being comprehensively addressed.
- Address the root cause of vulnerabilities and prioritizing modern secure software development practices to potentially close off entire avenues of attack.
- Protect good-faith security researchers who make significant contributions to security through their efforts to find vulnerabilities before attackers can exploit them.
Accordingly, Google said it is creating:
Hacking Policy Council. This group of like-minded organizations and leaders will advocate for new policies and regulations, support best practices for vulnerability management and disclosure, and do not undermine Google users’ security.
Security Research Legal Defense Fund. Seed funding for a legal defense fund protects good-faith security research. The fund aims to help fund legal representation for individuals performing good-faith research in cases that would advance cybersecurity for the public interest.
Exploitation transparency. By making transparency an explicit part of its policy, Google is committing to publicly disclose when it has evidence that vulnerabilities in any of its products have been exploited by hackers.
“We look forward to pushing these efforts forward to drive down risk from vulnerabilities and working with partners to drive change and build a safer ecosystem,” Snyder wrote.