Jump to content

Search the Community

Showing results for tags 'deadline'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 2 results

  1. Google has adjusted the terms of its controversial Project Zero vulnerability scouting effort, loosening its 90-day disclosure policy somewhat to give companies a better chance of fixing their security bugs before they become public knowledge. Among the changes, Google says it will no longer disclose bugs on weekends and public holidays, and it will even offer software vendors a brief grace period to finish their patches, if they request one. Project Zero has drawn fire from software companies – most notably Microsoft – for disclosing critical vulnerabilities to the public exactly 90 days after it reports them to vendors, a policy that top Redmond security bod Chris Betz said "feels less like principles and more like a 'gotcha'." "What's right for Google is not always right for customers," Betz wrote in a blog post in January. "We urge Google to make protection of customers our collective primary goal." Mind you, it's only natural that Microsoft would be miffed. Among the bugs revealed by Project Zero so far are critical zero-day flaws in Windows that can potentially allow an attacker to gain full control of affected systems. Google's vulnerability disclosures often include proof-of-concept exploit code, meaning cyber-crooks have access to working exploits the minute Google's disclosure goes live. Still, Google seems to have heard Redmond's complaints. On Friday, the online ad-slinger said it would make changes to how Project Zero discloses flaws, but it stopped short of saying it would lengthen the 90-day deadline, noting that CERT's own deadline is even shorter. "We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix," Google's security team wrote in a blog post. "We've chosen a middle-of-the-road deadline timeline and feel it's reasonably calibrated for the current state of the industry." Going forward, however, 90 days won't necessarily mean 90 days. For one thing, if the date of a patch disclosure deadline falls on a weekend or a public holiday, Google now says it will hold off on its disclosure until the next working day. What's more, the Chocolate Factory says it will extend the disclosure deadline by a grace period of up to 14 days, provided a vendor lets it know that a patch will be released on a specific date within the 14 days. "Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed," Google's post states. Google says it will also be sure to pre-assign CVE (Common Vulnerabilities and Exposure) numbers to bugs that go past their deadlines before it discloses them, to avoid confusion and help the public understand specific threats. But Redmond wasn't entirely satisfied with the changes, saying it would much rather see Google work more interactively with software vendors to apply patches. "When finders release proof-of-concept exploit code, or other information publically before a solution is in place, the risk of attacks against customers goes up," Microsoft's Betz told The Register in an emailed statement. "While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies." Google, meanwhile, said that an arbitrary deadline, albeit a nondiscriminatory one, is the best vendors can hope for. "As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances," Google's security team said. "We remain committed to treating all vendors strictly equally." ® Sursa
  2. Google’s unwavering vulnerability disclosure deadlines are the latest chapter in a decades-long debate about how to best inform affected users that there’s a security problem with their software. Since the start of the year, Google’s 90-day clock has most notably ticked down to zero on a trio of flaws in Microsoft products and two others in Apple’s OS X. And upon doing so, Google’s researchers shared with the world technical details and proof of concept code for each vulnerability. Proponents of Google’s policy will argue that 90 days is plenty of time for a vendor to address a “responsibly” disclosed vulnerability. Opponents argue that a zero day is a zero day, and in such cases, a greater cut of attackers has vital information for exploit building when the details are public. Google, being the giant that it is, threw more gasoline on the controversial fire when, with one of the Microsoft flaws, it refused to sit on the details reportedly for two more days until Microsoft said it would be ready with a patch. Today, Google announced several adjustments to its disclosure policy, one of them being a 14-day grace period afforded to vendors that inform Google before the expiration of the 90-day deadline that a patch is scheduled for release within the 14-day extension. “Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” the Project Zero team said in its announcement. “As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally,” the researchers wrote. “Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.” Google also announced that the first public mention of a vulnerability needs to include a CVE identifier and that Google will obtain a pre-assigned one for vulnerabilities that go past deadline. It also said that if a 90-day deadline expires on a weekend or a U.S. public holiday, the deadline will be extended to the next working day. “Putting everything together, we believe the policy updates are still strongly in line with our desire to improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline,” Google said. “Finally, we’d like to call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find our data and reasoning compelling.” This should make some major vendors breathe a little easier. Microsoft, for its part, said that it disagrees with arbitrary deadlines because of the uniqueness of vulnerabilities and variables introduced during patch development and testing time. “We prioritize security updates based on the probability and impact to customers,” said Chris Betz, head of the Microsoft Security Response Center. “When finders publically disclose vulnerability information with exploit details, they are increasing the potential for attack for millions of customers.” Google isn’t the only major technology company with a disclosure deadline. HP’s Zero Day Initiative, one of the first vulnerability programs, has a 120-day deadline, while CERT at the Software Engineering Institute at Carnegie Mellon University, a DHS-sponsored organization, has a 45-day deadline. Deadlines ensure that vendors don’t sit on vulnerabilities for months, or years in some cases. “The idea of disclosure deadlines is an old one and in practice in a lot of organizations,” said Katie Moussouris, chief policy officer at HackerOne. “The idea behind it is that people are protected and risk is minimized by limiting the window of exposure caused by an unpatched vulnerability.” Google, meanwhile, made its case that its disclosure policies are working, with vulnerabilities patched consistently and quicker by most of the affected vendors. It says, for example, that Adobe has patched 37 vulnerabilities reported by Google inside of the 90-day deadline; 154 Project Zero vulnerabilities overall (85 percent) were fixed inside of 90 days. Sursa
×
×
  • Create New...