The release of patches of the recent Hafnium Exchange exploit let to a further massive wave of Exchange server exploits as non-state threat actors reverse-engineered the patches to hack servers for non-political ransomware attacks. It is very often the case that a patch is the first criminal hackers learn of an exploit, and reverse engineering the patch is often a quick and easy way to develop an exploit for those who are still to be unpatched.
It is for this reason that Google’s Project Zero has often attracted a lot of flack since they insist on releasing details of exploits within 90 days, irrespective of whether companies such as Microsoft had enough time to test and roll out a fix.
Today Project Zero announced a new policy which would give companies 30 days to roll out their patch before disclosure, as long as they have actually developed the patch within the usual allotted 90 days, making it 120 days between discovery and disclosure. In cases where companies have not yet released a patch within 90 days disclosure would be at the end of the usual 90 day period.
“Moving to a “90+30” model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” said Project Zero manager Tim Willis.
If a flaw is being actively exploited, Google will still give companies a 30 day grace period to roll out a fix, but if no fix have been developed in the 7 days disclosure will be immediate. Companies can however ask for an extra 3 day grace period to develop the patch.
Google considers the change a relaxation of their policy, but notes “based on our current data tracking vulnerability patch times, it’s likely that we can move to a “84+28” model for 2022.”