Google announces new cybersecurity initiatives

In recent years, Project Zero, an independent team from Google, Examine zero-day vulnerabilities has initiated new studies and initiatives to implement improvements in hardware and software systems to combat these vulnerabilities.

ecosystem gaps

Usually, zero-day vulnerabilities persist even after the risks are known and fixed. For example, there is risks associated with patch adoption times Problems during patch testing, users difficulties in updating, etc. from OEMs. And not only that: more than a third of all zero-day vulnerabilities detected during 2022 that were somehow exploited were variants of others that were previously patched; not fully corrected.

In this scenario, Google has published a whitepaper that it proposes. various initiatives To address these risks: a more transparency on vulnerability exploitation and patch adoption by vendors and government agencies so that the community can better diagnose whether existing approaches are working. Greater attention to bottlenecks throughout the vulnerability lifecycle to ensure comprehensive coverage of risks to users. Find root cause of security vulnerabilities and encourage modern practices for the development of secure software capable of intercepting all attack paths at source.

Finally, protection for security researchers acting in good faith. These researchers work on detection before an attacker exploits them, and their contribution to security is significant. Unfortunately, when such input is not welcome or misinterpreted, they face legal threats, hindering extremely useful research and vulnerability disclosure.

How to fix the ecosystem?

According to Google, it is necessary to move forward in security cooperation between all parties stakeholders: the industry that develops vulnerable platforms and services; researchers who not only detect vulnerabilities, but also point to corrective measures that can close all avenues of attack; users who (unfortunately) have to do more than they should when it comes to security; and governments that can create incentive structures and influence the behavior of all other actors. At this time he announces:

For the first time, laws are being made that require private disclosure of vulnerabilities to governments in certain situations (some already approved and others in the proposal stage). Google is a founding member of the purpose-built Hacking Policy Council, made up of like-minded organizations and leaders: best practices for vulnerability disclosure and management and that it does not assume a loss of security for users.

In most cases, those who identify and report vulnerabilities are self-employed and act in good faith. Their work gives owners of these products an opportunity to patch vulnerabilities before an attacker can use them to their advantage. However, it is not unusual for these individuals to face legal threats; this deters security research and vulnerability disclosure, especially for those who do not have access to good legal advice. Fund for the Legal Defense of Security Studies, assistance to the legal representation fund The number of people who conduct good faith investigations in cases that contribute to advances in cybersecurity in the public interest.

Greater transparency about vulnerability exploitation helps users take steps to protect themselves, provides insight into how attackers work, and can provide better overall protection. According to Google, this transparency should be part of industry standard policies regarding vulnerability disclosure. This transparency thus becomes an obvious element and a commitment to publicly disclose any situation where a security vulnerability in any of the company’s products is exploited.