In a blog post titled “New initiatives to reduce the risk of vulnerabilities and protect researchers,” Head of Security Policy at Google, Charley Snyder, announced that;
“We are pleased to be founding members of the Hacking Policy Council, a group of like-minded organizations and leaders who will engage in focused advocacy to ensure new policies and regulations support best practices for vulnerability management and disclosure, and do not undermine our user’s security.”
The other companies joining Google in the Hacking Policy Council include; Intel, HackerOne, Bugcrowd, Intigriti, and Luta Security. This organisation aims to create a favourable legal environment for vulnerability disclosure and management, bug bounties and security research, among other factors.
Improving The Ecosystem; Escaping The Doom Loop
Google’s announcement states that cyber security risks often remain even after they’re known and fixed, and new cyber security risks are often adaptations from previously patched ones.
An accompanying whitepaper titled “Escaping The Doom Loop” was released by Google. The doom loop is the endless cycle of vulnerability, followed by patch, followed by vulnerability will be mitigated only by “focusing on the fundamentals of secure software development, good patch hygiene, and designing for security and ease of patching from the start.”
The whitepaper proposes a new response to these risks which include; greater transparency in vulnerability exploitation and patch adoption to deduce if current approaches are working, more attention on friction points to ensure risks to users are being comprehensively addressed, address the root cause of vulnerabilities and prioritize modern secure software development, and protect good-faith security researchers who make significant contributions to security through their efforts to find vulnerabilities before attackers can exploit them – these researchers are often met with legal threats and misunderstandings behind their intentions.
Google also stated that “independent security researchers make enormous contributions to security, including at Google,” so they’re also developing a fund which would protect good-faith security research in legal cases.
