Skip to content

Google Proposes More Transparent Vulnerability Management Practices “A Guide to Creating a Successful Online Business” “How to Build a Profitable Digital Enterprise”

Google today published a white paper calling on vendors to provide more transparency into their vulnerability management practices. A longtime supporter of collaboration on bug disclosure and patching, the internet giant believes that the endless ‘doom loop’ of vulnerability patching is exhausting defenders and users. In addition, the tools created in response to novel attack trends do not seem to help in improving the situation.

Breaking this loop, Google says, requires a focus on the fundamentals of secure software development, on adopting best practices for patching, and on ensuring that patching is easy and secure from the start. For that, vendors need to understand the root cause of vulnerabilities and to apply complete fixes. Frequency of patching, automated patching, and how fixes are delivered (as standalone patches or part of system updates) should be a focus for all vendors, the company suggests.

Furthermore, the company’s paper underlines that the industry should invest in making patch testing and implementation easier for customers, otherwise enterprises might fall behind in adopting fixes that are difficult to apply. More holistic policies to address product lifecycles should also be adopted. The paper also calls for vendors and governments to be more transparent regarding vulnerability exploitation and patching, to support the development of ecosystem-wide mitigations.

To better support bug hunters, Google is offering seed funding for the Security Research Legal Defense Fund, a fund meant to protect good-faith security researchers who face legal threats but who do not have access to legal counsel.

In conclusion, Google calls for vendors to provide more transparency into their vulnerability management practices, for increased attention to ensure that risks are comprehensively addressed, for the industry to invest in making patch testing and implementation easier for customers, for vendors and governments to be more transparent regarding vulnerability exploitation and patching, and for better supporting bug hunters.

Key Points:
• Google calls for vendors to provide more transparency into their vulnerability management practices.
• Vendors should prioritize root cause analysis and focus on the fundamentals of secure software development.
• Patching frequency, automated patching, and how fixes are delivered should be a focus for all vendors.
• The industry should invest in making patch testing and implementation easier for customers.
• Vendors and governments should be more transparent regarding vulnerability exploitation and patching.
• Google is offering seed funding for the Security Research Legal Defense Fund.

Leave a Reply

Your email address will not be published. Required fields are marked *