Tuesday, January 7, 2020

Policy and Disclosure: 2020 Edition

Posted by Tim Willis, Project Zero

At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir consequences for users, vendors, fellow security researchers, and software security norms of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 larger industry. We're very happy with how well our disclosure policy has worked over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past five years. We've seen some big improvements to how quickly vendors patch serious vulnerabilities, and now 97.7% of our vulnerability reports are fixed within our 90 day disclosure policy.

In saying that, it's a complex and often controversial topic that is frequently discussed both inside and outside of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team.  We often receive feedback from vendors that Project Zero works closely with regarding our current policies: sometimes it's things cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want us to change, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r times it's how our work has positively impacted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir work and users. Conversations like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se have helped develop our policies over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 years. For example, we introduced our 14-day grace-period in 2015 after helpful discussions with various vendors.

We recently reviewed our policies and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 goals we hope to accomplish with our disclosure policy. As a result of that review, we have decided to make some changes to our vulnerability disclosure policy in 2020. We will start by describing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changes to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 policy, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n discuss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rationale behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se changes.

Summary of changes for 2020

For vulnerabilities reported starting January 1, 2020, we are changing our Disclosure Policy: Full 90 days by default, regardless of when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug is fixed.  

Fix a bug in 20 days? We will release all details on Day 90.
Fix a bug in 90 days? We will release all details on Day 90.

If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is mutual agreement between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor and Project Zero, bug reports can be opened to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public before 90 days elapse. For example, a vendor wants to synchronize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opening of our tracker report with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir release notes to minimize user confusion and questions. 

We will try this policy for 12 months, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n consider whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to change it long term.

The current list of changes for 2020:

2019
2020 Trial
  1. 90 days or when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug is fixed (decided by researcher discretion), whichever is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 earliest.
  1. Full 90 days, regardless of when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug is fixed. Earlier disclosure with mutual agreement.
  1. Policy goal:
    • Faster patch development
  1. Policy goals:
    • Faster patch development
    • Thorough patch development
    • Improved patch adoption
  1. Inconsistent handling of incomplete fixes. Such issues are eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r filed as separate vulnerabilities or added to existing reports at researcher discretion.
  1. Details of incomplete fixes will be reported to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor and added to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 existing report (which may already be public) and will not receive a new deadline.
  1. Bugs fixed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 grace period* would be opened to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public sometime after a patch was released.
  1. Project Zero tracker reports are immediately opened when patched during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 grace period*.
  1. Project Zero tracker reports are opened at researcher discretion after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 deadline expires.
  1. Project Zero tracker reports are opened automatically on Day 90 (or earlier under mutual agreement).
* The grace period is an additional 14 days that a vendor can request if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do not expect that a reported vulnerability will be fixed within 90 days, but do expect it to be fixed within 104 days. If a grace period is requested, and a bug is fixed between 90 and 104 days after it was reported, bug details will be released on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day it is fixed. Grace periods will not be granted for vulnerabilities that are expected to take longer than 104 days to fix. Note that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 seven day deadline for vulnerabilities that are being actively exploited "in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wild" will remain unchanged.

We're constantly considering whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r our policies are in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 interest of user security, and we believe this change is a furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r step in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right direction. We also think it's simple, consistent and fair. 

Rationale on changes for 2020


For cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last five years, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team has used its vulnerability disclosure policy to focus on one primary goal: Faster patch development

We want to make attacks using zero-day exploits more costly. We do this through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lens of offensive vulnerability research and evidence of how real attackers behave. This involves discovering and reporting a large number of security vulnerabilities, and through our experience with this work, we realised that faster patch development and patch deployment were very important and areas for industry improvement.

If patches take a long time to develop and deploy, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n we quickly fall behind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 curve: more bugs are introduced than vendors can fix and a herculean effort is required to get things back on track.

We also regularly uncover cases of "bug collisions" with our research. This is where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability we discovered was previously found and exploited by a real attacker. Knowing that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerabilities that we find are often already being secretly exploited to harm users creates a sense of urgency, and so we ask vendors to fix issues as quickly as possible.

After five years of applying a 90-day disclosure deadline, we're proud of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results we've seen: vulnerabilities are being fixed faster than ever. For example, around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time Project Zero started in 2014, some issues were taking upwards of six months to fix. Fast forward to 2019, and 97.7% of our issues are fixed under deadline. That said, we know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is still room for improvement, both in industry-wide patch development speed and over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire vulnerability management lifecycle.

Revisiting our underlying policy principles and goals


We recently spent some time articulating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 underlying principles of our policies:

  • Simple.  Simplicity is important because we want to be easily understood. We also want to operate at scale, ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise it's even harder to aggressively push all of industry to do better. 
  • Consistent.  We want to be reliable and predictable. We want to apply our deadlines in a deterministic manner without fear or favour, demonstrating that we mean what we say. The bar for any exception/inconsistency needs to remain extremely high (note: we've only had two exceptions in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 five year history of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team).
  • Fair.  We want to be equitable, balanced and impartial. We don't want to be in a position where different vendors (including Google!) get a form of preferential treatment. The same rules should apply to everyone.

We also realised as part of our discussions that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are two ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r policy goals that we wanted to include. Based on those discussions, here are our policy goals for 2020:

  1. Faster patch development (existing): We want vendors to develop patches quickly and have processes in place to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of end users. We will continue to pursue this with urgency.

  1. Thorough patch development (new): Too many times, we've seen vendors patch reported vulnerabilities by "papering over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cracks" and not considering variants or addressing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 root cause of a vulnerability. One concern here is that our policy goal of "faster patch development" may exacerbate this problem, making it far too easy for attackers to revive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir exploits and carry on attacking users with little fuss. 

  1. Improved patch adoption (new): End user security doesn't improve when a bug is found, and it doesn't improve when a bug is fixed. It improves once cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end user is aware of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug and typically patches cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir device. To this end, improving timely patch adoption is important to ensure that users are actually acquiring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 benefit from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug being fixed.

This new policy direction for 2020 gives clear incentives for vendors, especially those that have raised cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following issues with us in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past. 

  • Since we founded Project Zero, some vendors hold cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 view that our disclosures prior to significant patch adoption are harmful. Though we disagree (since this information is already public and being used by attackers per our FAQ here), under this new policy, we expect that vendors with this view will be incentivised to patch faster, as faster patches will allow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m "additional time" for patch adoption. 
  • The full 90 day window is available to perform root cause and variant analysis. We expect to see iterative and more thorough patching from vendors, removing opportunities that attackers currently have to make minor changes to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir exploits and revive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir zero-day exploits.
  • We're also being explicit on improving patch adoption, since we're incentivising that vendors should be able to offer updates and encourage installation to a large population within 90 days.  

We also really like that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new policy will improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consistency of our disclosure process, while also remaining simple and fair. For example, some vendors considered our determination of when a vulnerability was fixed as unpredictable, especially when working with more than one researcher on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 team at a given time. They saw it as a barrier to working with us on larger problems, so we're going to remove cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 barrier and see if things improve. We hope this experiment will encourage vendors to be transparent with us, to share more data, build trust and improve collaboration.

Disclosure policy is a complex topic with many trade-offs to be made. We don't expect this policy to please everyone, but we’re optimistic that it will improve on our current policy, encompasses a good balance of incentives and will be a positive step for user security. We plan to re-evaluate whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r it is accomplishing our policy goals in late 2020.

No comments:

Post a Comment