Google wants to be more transparent with security patches and protect researchers who discover flaws

13 Apr. (Portaltic/EP) –

Keeping the ecosystem of digital products and services secure requires the commitment of all parties involved in its development, distribution and use, and for this reason Google has announced a set of initiatives with which it seeks to offer greater transparency on the implementation of security patches and protect researchers who identify vulnerabilities that put you at risk.

The technology company wants to break the cycle of security vulnerabilities, which always repeats itself: a vulnerability is identified, it is corrected with a patch, and another vulnerability appears. To this end, it has published a ‘White Paper’ in which it highlights the problems inherent in this environment, collects the best practices and shares the measures it has adopted.

The work collected in this ‘White Paper’ is the result of the experience of Project Zero, Google’s cybersecurity research team, specialized in identifying zero-day vulnerabilities, that is, those discovered before the developers have created a patch that I solved them.

In this regard, the company has highlighted that a third of the exploited zero-day vulnerabilities that were analyzed in 2022 corresponded to variants of vulnerabilities that had previously been patched.

This is due, as Google has pointed out, to the fact that some manufacturers or developers do not fully apply the patches for the original vulnerability, a situation that has motivated a series of initiatives aimed at responding to the risks that this poses.

Specifically, Google proposes greater transparency in the vulnerability patching cycle, paying attention to sticking points and addressing the root cause of vulnerabilities. It also proposes to protect researchers who discover these security issues before they are exploited by cybercriminals, since sometimes “their contributions are not welcome or are misinterpreted.”

Likewise, and to support the ecosystem of manufacturers, developers, researchers and users, Google has announced this Thursday the ‘Hacking Policy Council’. This is a group that will advocate for common sense policies related to the disclosure and management of vulnerabilities, as detailed in a press release.

This group is being formed as a project within the Center for Cyber ​​Policy and Law, in the United States. Council members include Intel, Luta Security, HackerOne, BugCrowd and Integriti.

It has also announced a ‘Security Research Legal Defense Fund’, an independent non-profit organization to protect security researchers acting in good faith; and the incorporation into its policies of the commitment to transparency regarding exploitation, through which it undertakes to publicly disclose the evidence it has that the vulnerabilities in any of its products have been exploited.