Google is taking a significant step to ensure that developers on its platform can address issues with user privacy and security enforcement.
Project Zero, the team of top security researchers at the Silicon Valley giant, announced that it had made a significant change to its disclosure policy, hoping to make it easier for vendors to develop security patches for their apps the right way before releasing them for customersâ use.
SponsoredGoogle's new policy gives developers more time to address security flaws https://t.co/6FnKFyaDvj pic.twitter.com/2CCo4MxNU6
â Engadget (@engadget) January 8, 2020
Reliability Over Speed in Fixing Vulnerabilities
Under the new terms, Project Zero explained that unless thereâs a prior agreement, developers will need to disclose all vulnerabilities to customers after 90 days. Before this, Project Zero researchers would need to make security vulnerability issues public on their bug tracker as soon as these vulnerabilities are discovered.
Tom Willis, the Manager of Project Zero, explained in the post that developers had been used to simply âpapering over the cracksâ when reporting vulnerabilities on their platforms. By not addressing the root cause of their vulnerabilities, a lot of them have gone on to develop sub-standard security patches, which do little to nothing to ensure usersâ privacy.
âOne concern here is that our policy goal of âfaster patch developmentâ may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss,â he added.
In the post, he also explained that vendors can now ensure that patched version updates can be installed even before disclosures. As he puts it, the only way to ensure the security of the end-user is to make them aware of the vulnerability that occurred and help them install security patches.
Besides, the team also announced that all incomplete fixes should be reported to developers and added to an existing report. Before this, incomplete fixes were treated as their separate problems with their deadlines. The company will also open tracker reports as soon as a bug has been patched during a 14-day âgrace periodâ (in case the developer misses those 90 days) and on the 90th day. The company pointed out that this new reporting structure will be tested across 2020, adding that it would be making it permanent if its implementation goes without a hitch.
Google Assistant Gets a Privacy Upgrade
The new reporting structure is just the latest in privacy developments coming from Google. At this yearâs Consumer Electronics Show, the search giant rolled out several updates to its Google Assistant, including variations to its privacy handling.
The Google Assistant CES Update: Smarter Around the House and Better Privacy â https://t.co/jCoBtR3TSh
â Twist My Tweet (@TwistMyTweet) January 8, 2020
The assistant has been hit with several privacy issues. Last August, Google confirmed that third parties could listen in on conversations that its Dutch customers were having with their Assistants and were actively leaking them. However, it made some significant privacy updates this week, including a feature that will allow users to delete their command records by simply saying, âHey Google, that wasnât for you.â
Images are courtesy of Twitter, Shutterstock, Pixabay.