Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Google Project Zero hails dramatic acceleration in security bug remediation

Security vulnerabilities reported by Project Zero in 2021 were patched 28 days faster on average than in 2019, Google’s zero-day security research team has revealed.

Hardware and software vendors took an average of 52 days to fix security flaws last year, well below the 90-day deadline and down from the mean time average of 80 days two years prior.

Only one bug exceeded its fix deadline, although 14% required the additional 14-day grace period before a working fix was released.

‘Increasing transparency’

“We suspect that this trend may be due to the fact that responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines,” said Ryan Schoen of Project Zero in a blog post.

“We also suspect that vendors have learned best practices from each other, as there has been increasing transparency in the industry.”

However, Schoen cautioned that Project Zero reports may be outliers “in that they may receive faster action as there is a tangible risk of public disclosure (as the team will disclose if deadline conditions are not met) and Project Zero is a trusted source of reliable bug reports”.

Across 2019, 2020, and 2021, Project Zero reported 376 issues to vendors under its standard 90-day remediation deadline, 351 (93.4%) of which were fixed, while vendors declined to fix 14 (3.7%) bugs.

At 25 days, Linux had the quickest average time to a fix, followed by Google (44) and Mozilla (46). The slowest was Oracle (109) but from a small sample of seven bugs, followed by Microsoft (83) and Samsung (72).

Browsers

Among the three leading open-source browsers – data being unavailable for their proprietary rivals – Chrome had the shortest gap between receiving bug reports to shipping fixes to users – 30 days – followed by Firefox (38 days) and Safari (73).

Project Zero commended Google’s rapid release cycle and additional stable releases for security updates, and Chrome’s recent switch from a six-week to a four-week release cycle.

Apple drew plaudits for faster fix rollouts overall, but was criticized for a large interval between landing WebKit patches and shipping them to users, which “leaves a very long amount of time for opportunistic attackers to find the patch and exploit it prior to the fix being made available to users”, Schoen warned.

Microsoft’s comparative slowness in patching was blamed on “the monthly cadence” of its ‘Patch Tuesday’ updates.

Record VRP payouts

Google has also announced that it paid out a record-breaking $8.7 million in rewards to security researchers under its Vulnerability Reward Programs (VRPs) in 2021.

The Chrome VRP, which covers not only Google Chrome security but that of several other browsers built on Chromium, awarded $3.3 million for 333 bug reports, with the biggest payout, $45,000, awarded for a Chrome OS flaw.

The Android VRP paid out nearly $3 million, double the total rewards across 2020, including $157,000 for a single exploit chain – the highest-ever Android reward.

Advertisement. Scroll to continue reading.

Ethical hackers donated more than $300,000 of their rewards to charity.

Source: https://portswigger.net/daily-swig/google-project-zero-hails-dramatic-acceleration-in-security-bug-remediation

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich....

Cyber Security

Google has published its annual 0-day vulnerability report, presenting in-the-wild exploitation stats from 2022 and highlighting a long-standing problem in the Android platform that...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO