Google is taking a significant step to ensure that developers on its platform can address issues with user privacy and security enforcement.
Project Zero, the team of top security researchers at the Silicon Valley giant, announced that it had made a significant change to its disclosure policy, hoping to make it easier for vendors to develop security patches for their apps the right way before releasing them for customers’ use.
— Engadget (@engadget) January 8, 2020
Reliability Over Speed in Fixing Vulnerabilities
Under the new terms, Project Zero explained that unless there’s a prior agreement, developers will need to disclose all vulnerabilities to customers after 90 days. Before this, Project Zero researchers would need to make security vulnerability issues public on their bug tracker as soon as these vulnerabilities are discovered.
Tom Willis, the Manager of Project Zero, explained in the post that developers had been used to simply ‘papering over the cracks’ when reporting vulnerabilities on their platforms. By not addressing the root cause of their vulnerabilities, a lot of them have gone on to develop sub-standard security patches, which do little to nothing to ensure users’ privacy.
“One concern here is that our policy goal of ‘faster patch development’ may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss,” he added.
In the post, he also explained that vendors can now ensure that patched version updates can be installed even before disclosures. As he puts it, the only way to ensure the security of the end-user is to make them aware of the vulnerability that occurred and help them install security patches.
Besides, the team also announced that all incomplete fixes should be reported to developers and added to an existing report. Before this, incomplete fixes were treated as their separate problems with their deadlines. The company will also open tracker reports as soon as a bug has been patched during a 14-day “grace period” (in case the developer misses those 90 days) and on the 90th day. The company pointed out that this new reporting structure will be tested across 2020, adding that it would be making it permanent if its implementation goes without a hitch.
Google Assistant Gets a Privacy Upgrade
The new reporting structure is just the latest in privacy developments coming from Google. At this year’s Consumer Electronics Show, the search giant rolled out several updates to its Google Assistant, including variations to its privacy handling.
The assistant has been hit with several privacy issues. Last August, Google confirmed that third parties could listen in on conversations that its Dutch customers were having with their Assistants and were actively leaking them. However, it made some significant privacy updates this week, including a feature that will allow users to delete their command records by simply saying, “Hey Google, that wasn’t for you.”
Images are courtesy of Twitter, Shutterstock, Pixabay.