Is 90 days enough time for software vendors to address vulnerabilities?
That's just one of the burning questions around vulnerability disclosure policies, which has become a hot topic this year following Google's disclosure of Microsoft vulnerabilities. "I think it's aggressive," said Wolfgang Kandek, CTO of Qualys Inc., "but more because of the infrastructures around them."
Speaking at RSA Conference 2015 recently, Kandek said 90 days in some cases may not be enough to patch software vulnerabilities because the software code itself may be easy to repair, but changes to the code can also impact the entire infrastructure around the software. "Normally these coding errors that are pinpointed are quickly fixed," he said. "Then that has to be tested and put into production, so there's a lot of overhead that goes along with it."
While Google's Project Zero received criticism for its inflexible 90-day deadline vulnerability disclosure policy (which the company later amended to include extensions), Kandek said he understands why Google is taking a more aggressive approach to vulnerability patching and disclosure policies, especially since the industry standard for deadlines was twice that amount not that long ago.
"Some time ago, maybe two years ago, we were at 180 days. So this is an effort [by Google] to make it go faster, and there's some friction to be expected in the process," he said. "Overall, I think it's a good thing that we're talking about this."
Still, Kandek said vulnerabilities need to be addressed quickly in today's world of frequent data breaches and sophisticated cyberattacks. And with vulnerability reporting being an integral part of the industry, he said disclosures are not malicious in nature, even when it's Google disclosing a competitor's vulnerabilities.
"In the end, everybody is interested in making the ecosystem safer," Kandek said. "I think there's a genuine wish to make our computing infrastructure safer for us."