Google LLC is proposing initiatives to improve a vulnerability management ecosystem that’s plagued with an endless “merry-go-round” of problems.
A Google whitepaper, released today, argues that while the security industry has improved in many ways, such as in technological advances and collaboration, many challenges remain within the vulnerability management realm. The cloud and ad giant said that today “it seems like we’re caught in the same cycle when it comes to security vulnerabilities — a vulnerability is found, patched, then another pops up — rinse and repeat.”
Google does its part to address vulnerabilities, particularly through its vendor-agnostic Project Zero team, that not only studies vulnerabilities but has also pioneered patch and disclosure timelines over the years for the safety of users. However, Google claims more needs to be done to “help get us out of the endless merry-go-round and elevate the industry as a whole.”
The white paper proposes initiatives in response to the ongoing risks of “zero-day” or unpatched vulnerabilities, the lag time in original equipment manufacturer adoption, patch testing pain points and end-user update issues.
Leading the list is a call for greater transparency from vendors and governments in vulnerability exploitation and patch adoption to help the community diagnose whether current approaches are working. The white paper cites specifically the issue of vendors releasing a fix without disclosing that the vulnerability being addressed was actively being exploited. Google argues that greater transparency around exploitation helps the industry better understand attacker behavior, ultimately leading to better protections.
The paper calls on more attention to be paid to friction points throughout the vulnerability lifecycle to ensure risks to users are comprehensively addressed. It’s emphasized that there is a need to address the root cause of vulnerabilities and prioritize modern secure software development practices with the potential to close off entire avenues of attack.
Security researchers get a look-in in the paper, with Google calling on all to protect good-faith researchers who make significant contributions to security through their efforts to find vulnerabilities before attackers can exploit them. It’s noted that these researchers still face legal threats when their contributions are unwelcome or misunderstood, which creates a chilling effect on beneficial research and vulnerability disclosure.
To address the issues, Google calls for increased cooperation among stakeholders who develop the platforms and services attackers seek to exploit. This includes the tech industry, researchers, users and governments.
To drive progress, the company has announced that it’s a founding member of the Hacking Policy Group. The group is said to consist of like-minded organizations and leaders who will engage in focused advocacy to ensure new policies and regulations support best practices for vulnerability management and disclosure.
Google also announced it’s providing seed funding to the Security Research Legal Defense Fund. The fund will provide legal defense to protect good-faith security researchers who often face legal threats when finding and disclosing vulnerabilities that would advance cybersecurity for the public interest.