Google is coming up with proposals to improve a vulnerability management ecosystem that’s plagued with an endless “merry-go-round” of problems.
A whitepaper argues that while the security industry has improved in many ways, such as in technological advances and collaboration, many challenges remain within the vulnerability management realm.
Google said “it seems like we’re caught in the same cycle when it comes to security vulnerabilities. A vulnerability is found, patched, and then another pops up, rinses, and repeats.”
Through its vendor-agnostic Project Zero team, that not only studies vulnerabilities but also has pioneered patch and disclosure timelines over the years for the safety of users.
New initiatives in response to the ongoing risks of Zeroday vulnerabilities, the lag time, and patching pain points. It mainly cites the issue of vendors releasing a fix without disclosing that the vulnerability being addressed was actively being exploited. A greater transparency around exploitation helps the industry better understand attacker behavior, ultimately leading to better protections.
It’s emphasize a need to address the root cause of vulnerabilities and prioritize modern secure software development practices with the potential to close off entire avenues of attack.
The researchers makes significant contributions to security through their efforts to find vulnerabilities before attackers can exploit them but in the end still face legal threats when their contributions are unwelcome or misunderstood, which creates a effect on research and vulnerability disclosure. To pave bridge, Google calls out for increased cooperation
To calibrate this, Google is forming a Hacking Policy Group. The group is said to consist of like-minded organizations and leaders who will engage in focused advocacy to ensure new policies and regulations support best practices for vulnerability management and disclosure.
Google also provides seed funding to the Security Research Legal Defense Fund. The fund will provide legal defense to protect good-faith security researchers who often face legal threats when finding and disclosing vulnerabilities that would advance cybersecurity for the public interest.