Researchers and vendors must strike a delicate balance when developing vulnerability disclosure windows, to factor in an increasingly intricate patch development and adoption process as an ever-growing tangle of vulnerabilities is uncovered.
A 2021 trial version for a vulnerability disclosure timeline, announced last month by Google’s Project Zero team - its team of security analysts tasked with finding zero-day flaws - reflects the varying challenges relating to the patching process that companies must navigate when developing disclosure windows. Previously, Project Zero’s policy mandated that disclosure should occur 90 days after an initial vulnerability report, regardless of when the bug is fixed. However, the new trial gives an additional 30-day leeway period for publishing the technical details, if the issue has been fixed within 90 days, with the intent of providing a cushion period for businesses to then apply those patches.
Researcher disclosure window deadlines are important because they put pressure on vendors to roll out patches in a timely manner. As of April 30, Project Zero said that there are 1,797 vulnerabilities in a "fixed" state in their issue tracker, and 73 vulnerabilities have been disclosed without a patch being available to users - meaning that over the total lifetime of Project Zero, 95.9 percent of issues have been fixed under deadline.
Casey Ellis, founder and CEO of Bugcrowd, said Project Zero's move marks an acknowledgement of the patch adoption "lag" that often exists on top of these deadlines.
“The addition of the 30 days extension from Project Zero reflects a third dynamic, the lag which often exists between patch release and a meaningful percentage of the user population having installed the patch,” said Ellis.
Patch Adoption Challenges
Project Zero’s previous disclosure policy was also a trial that was proposed in 2020, intending to give vendors the flexibility to prioritize shipping the fix earlier in the 90-day cycle rather than later. The overall goal behind this policy was to help quicken patch development - the deployment of patches by vendors - and patch adoption - the ultimate application of these patches by end users to affected systems.
“In practice however, we didn't observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch,” said Tim Willis, senior security engineering manager with Google Project Zero. “In other words, the implied timeline for patch adoption wasn't clearly understood.”
Patch adoption remains a significant challenge for end-user organizations, which are struggling to keep up with a steady stream of critical and high-severity vulnerabilities on top of the regularly-scheduled monthly security updates issued by vendors. A November Bitdefender report revealed that almost two-thirds of vulnerabilities in organizations that have not been patched are older than 2018 - meaning that organizations are open to security holes for which patches have been available for years. The report painted a grim picture of the patch landscape, revealing deep-rooted challenges for organizations in adopting patches for operating systems and applications in an active and timely manner. For instance, 52 percent of organizations reported having a manual patching procedure instead of an automated one, making their patch process more complex, according to the report.
The concept of patch adoption adds another layer to the development of vulnerability disclosure windows. Willis noted that security at the end-user level doesn’t improve when a bug is found or fixed - the end users must be aware of the bug and patch their devices. Project Zero’s new additional 30-day period aims to fix this issue by making the patch adoption piece a more “explicit part” of the vulnerability disclosure policy.
“By giving a 30-day window for patches to roll out … It’s an indicator that updates aren’t being applied,” said Brian Gorenc, director at Trend Micro’s Zero Day Initiative. “This leads to a completely different discussion on why people don’t install patches, but the fact is that many people don’t trust updates.”
Putting Pressure on Patch Development
Patch development is another complex process that researchers are mulling when they develop disclosure windows. Willis said that the goal of Project Zero’s disclosure window is not only for vendors to develop patches more quickly and have the correct processes in place to effectively get those patches to end users, but also to be more thorough in their patches.
“Too many times, we've seen vendors patch reported vulnerabilities by ‘papering over the cracks’ and not considering variants or addressing the root cause of a vulnerability,” said Willis. “One concern here is that our policy goal of ‘faster patch development’ may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss.”
One challenge is that vulnerabilities are continually being discovered on various vendor platforms. Microsoft Exchange ProxyLogon flaws, for instance, disclosed in March left businesses scrambling to patch their systems - however, a month later cybercriminals continued to sniff out vulnerable systems used to deploy malware. Other flaws, such as the critical vulnerability in the Windows Netlogon Remote Protocol known as Zerologon (CVE-2020-1472) or a nasty bug in Oracle WebLogic Server (CVE-2020-14882), have caused headaches both for vendors and end users for over a year.
“This rising volume makes it harder for vendors to respond to everything, and it could lead to bugs being missed or dropped unintentionally,” said Gorenc. “Some companies have a mature response process and can handle the load, but others may struggle.”
Another issue rises from the fact that different vendors deal with patching in varying ways, which can make disclosure policies hard to apply across the board. For instance, deploying a patch for a bug in a website, which is centralized, accessible and likely has a recent codecase, may be a much more seamless process than issuing a fix for flaws in a fleet of satellites in the sky, mission-critical devices or medical devices, which may be decentralized, difficult to access or dependent on uptime.
For researchers, factoring in these varying patching challenges when looking at disclosure windows presents an “interesting balancing act,” said Bugcrowd’s Ellis. Should a policy timeline be too short, users of the affected products face the risk of exploitation - but should it be too long, there’s a substantial risk that the vendor won’t act with the appropriate urgency necessary to protect users, said Ellis.
“The 30-day extension provides some grace here and signals a very clear expectation that these types of products will be targeted and they should be stepping up efforts to reduce vulnerability remediation and user base dwell time,” Ellis said.
The Future of Disclosure Windows
Google Project Zero’s 2021 trial will also include an array of other changes beyond the additional 30 day leeway period. For instance, it will include a disclosure deadline of seven days for issues that are being actively exploited in-the-wild against users. However, unlike the previous 2020 trial policy, if the issue is fixed within seven days, Project Zero said it would publish technical details 30 days after the fix. And, unlike before, vendors can request a three-day grace period for in-the-wild bugs.
On the heels of Project Zero’s proposed trial changes, Ellis said, other researchers might be more open to tweaking their disclosure deadlines for similar reasons that the Project Zero team has laid out, provided there is open communication and agreement.
“Researchers looking to take a practice leadership position communicating vendor empathy might adopt these same types of policies,” he said.