New initiatives to reduce the risk of vulnerabilities and protect researchers

The security industry has improved in many ways, both in technological advances and collaboration, but many challenges remain especially within the vulnerability management realm. Today it seems like the community is caught in the same cycle when it comes to security vulnerabilities — a vulnerability is found, patched and then another pops up — rinse and repeat. Managing risk from vulnerabilities and the stakes for society are too high for incremental improvements. It’s why Project Zero, a vendor agnostic security research team that sits within Google and studies zero-day vulnerabilities in hardware and software systems, has pioneered patch and disclosure timelines over the years for the safety of users. Building on that ongoing work, today we’re sharing new research and initiatives to help get us out of the endless merry-go-round and elevate the industry as a whole.

An unpatched ecosystem

While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they’re known and fixed, which is the real story. Those risks span everything from lag time in OEM adoption, patch testing pain points, end user update issues and more. Additionally, over one-third of the zero-day vulnerabilities exploited in the wild we’ve analyzed in 2022 are variants of earlier patched vulnerabilities, which is the result of vendors applying incomplete fixes to the original vulnerability. In a white paper we’re releasing today, we propose initiatives in response to these risks, including:

• Greater transparency from vendors and governments in vulnerability exploitation and patch adoption to help the community diagnose whether current approaches are working.
• More attention on friction points throughout the vulnerability lifecycle to ensure risks to users are being comprehensively addressed.
• Address the root cause of vulnerabilities and prioritize modern secure software development practices with the potential to close off entire avenues of attack.
• Protect good-faith security researchers who make significant contributions to security through their efforts to find vulnerabilities before attackers can exploit them. Unfortunately, these researchers can still face legal threats when their contributions are unwelcome or misunderstood, which creates a chilling effect on beneficial research and vulnerability disclosure.

Patching the ecosystem together

Making progress on these issues requires cooperation among stakeholders, including industry, who develop the platforms and services that attackers seek to exploit; researchers, who not only find vulnerabilities but identify and drive mitigations that can close off entire avenues of attack; users, who unfortunately still bear too high of a burden of security; and governments, who create incentive structures that shape the behavior of all these other actors. We are committed to driving progress alongside these stakeholders, and we are making several announcements today in support:

• Hacking Policy Council: For the first time, we are seeing laws (both passed and proposed) requiring the private disclosure of vulnerabilities to governments under certain circumstances. It is important that we get these laws right. That’s why we are pleased to be founding members of the Hacking Policy Council, a group of like-minded organizations and leaders who will engage in focused advocacy to ensure new policies and regulations support best practices for vulnerability management and disclosure, and do not undermine our user’s security.
• Security Research Legal Defense Fund: Independent security researchers make enormous contributions to security, including at Google. Today, we are announcing that we are providing the seed funding to stand up a legal defense fund to protect good-faith security research. In many cases, individuals act independently and in good faith to find and report vulnerabilities – giving vendors a chance to address them before attackers can develop exploits. Unfortunately, these individuals often face legal threats that can cause setbacks to security research and vulnerability disclosure, especially for individuals without access to legal counsel. The Security Research Legal Defense Fund aims to help fund legal representation for individuals performing good-faith research in cases that would advance cybersecurity for the public interest.
• Exploitation transparency: Greater transparency around exploitation helps users take steps to protect themselves, builds understanding of attacker behavior, and can lead to better protections. We believe this transparency should become part of the industry’s standard vulnerability disclosure policies. We have always prioritized transparency when our products are exploited, but starting today we will make this an explicit part of our policy, committing to publicly disclose when we have evidence that vulnerabilities in any of our products have been exploited.

We look forward to pushing these efforts forward to drive down risk from vulnerabilities, and working with partners to drive change and build a safer ecosystem.