Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Google Security IT

Google Project Zero: 95.8% of All Bug Reports Are Fixed Before Deadline Expires (zdnet.com) 41

The Google Project Zero team said that around 95.8% of the security bugs they find in other software and report to their respective vendors get fixed before the 90-day deadline for a public disclosure expires. From a report: That's quite the batting average for one of world's most infamous cybersecurity programs. In a statistic shared on Wednesday, Google's elite security team said that during its whole history -- from July 17, 2014, when Project Zero was created and until July 30, this week -- its researchers found and reported a total of 1,585 vulnerabilities to a wide range of hardware and software vendors. Of these, Google said that vendors failed to deliver a patch before the final deadline expired only for 66 reports. As a result, its researchers were forced to make vulnerability technical details public before a fix was made available to users.
This discussion has been archived. No new comments can be posted.

Google Project Zero: 95.8% of All Bug Reports Are Fixed Before Deadline Expires

Comments Filter:
  • "Project Four.Two", not "Project Zero"
    • "Project Four.Two", not "Project Zero"

      The "zero" refers to the concept of a 0day (zero-day) [wikipedia.org] vulnerability, one that is previously unknown to the maker of the product. The Project Zero (P0) team's mission is to find and report new (0day) vulnerabilities in widely-used products, but even more importantly to find new classes of vulnerabilities and to invent new ways to attack products. The idea is to find them before the bad guys do, and get them fixed.

  • by ISayWeOnlyToBePolite ( 721679 ) on Friday August 02, 2019 @10:47AM (#59029030)

    I'm curious to know who couldn't fix their software in 90 days but could not find a list.

    However I found a list of open issues still not fixed: https://bugs.chromium.org/p/pr... [chromium.org]

    The culprits listed:

    Transmission
    uTorrent
    Apple (twice)
    tcpdump

    • I'm curious to know who couldn't fix their software in 90 days but could not find a list.

      Android failed to patch in time once, about three years ago.

      I was happy to see that P0 was willing to 0day a Google product. Not that I want unpatched Android vulns to be published, but I think it's important that P0 consistently apply their policy to all vendors, including Google.

      • I was happy to see that P0 was willing to 0day a Google product.

        That seems to be true only for less important bugs. I’m too lazy to go find it again, but when we had a similar discussion (main story may have been about an unpatched Apple vulnerability) here a few years ago I was able to dig up some serious Google vulnerabilities where Project Zero gave them way longer than 90 days - one was well over a year, IIRC.

        • I was happy to see that P0 was willing to 0day a Google product.

          That seems to be true only for less important bugs. I’m too lazy to go find it again, but when we had a similar discussion (main story may have been about an unpatched Apple vulnerability) here a few years ago I was able to dig up some serious Google vulnerabilities where Project Zero gave them way longer than 90 days - one was well over a year, IIRC.

          I'd love to see a citation.

    • by tlhIngan ( 30335 )

      I'm curious to know who couldn't fix their software in 90 days but could not find a list.

      Certain blocks of software are so critical that you can't just patch and go - because a failure of that software can lead to disasterous consequences.

      Think of things like device drivers, kernel scheduler, file systems, network stack. Bugs in these often need more than 90 days because you want to make sure it's rock solid, or a user could lose their data, the machine could crash much too often, or other things that make

      • I'm totally with you on everything you say.

        However I'd still like to see the full list and as an example of why: I just uninstalled Transmission because they have an issue with integer overflow open since 2017; uTorrent has an issue open since jan 2018. These are network applications running on a huge number of systems, 90 days seem plenty unless there are special circumstances.

        With linux, one can at least get the feeling that there are a lot of programs with similar functionality and it's hard to tell whic

  • Comment removed based on user account deletion

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...