Yahoo officials say that the company will disclose any new vulnerabilities that the company’s security team finds within 90 days of discovery.
The new policy is the same one used by Google’s Project Zero, a team of researchers that looks for vulnerabilities in a variety of commonly used software packages and platforms. That team has been quite prolific in recent months, finding bugs in a number of products from Microsoft and Apple, among others. When a Project Zero member finds a new vulnerability, the team notifies the affected vendor and the clock starts running. If the vendor hasn’t patched the flaw, the team will make the bug details public after 90 days, barring any extenuating circumstances.
Now Yahoo’s own internal security team is adopting the same time frame. Yahoo has been assembling a talented security team in the last few months, having hired Alex Stamos as its CISO and Chris Rohlf to head up is penetration testing team. Rohlf said that his team spends its time banging on Yahoo’s own custom software, as well as the third-party products the company uses, and when a new flaw is found, the team immediately deploys a fix on its own systems. It then notifies others in the community that may be affected, as well as the US-CERT.
“Skilled attackers are discovering and exploiting zero-day vulnerabilities all the time, and no system or platform is impenetrable. We firmly believe in the importance of engaging the broader security ecosystem to help ensure as few people as possible are impacted by an attack of this sort,” Rohlf said in a blog post Tuesday.
“As part of our efforts to keep our systems secure, the penetration testing team that I run is constantly performing attacks against ourselves and is looking for new ways that our adversaries might attempt to breach our systems. This process helps us uncover vulnerabilities not only in the software that Yahoo has written but in the common open-source and commercial products that we use on our network.”
Many large software vendors, Web companies and other organizations have internal teams that are doing similar work to Yahoo’s penetration testing group. But not all of them have public policies like Yahoo’s and Google’s, terms that let vendors and other researchers know what the team is committed to doing. Rohlf said that the three-month disclosure timeline provides the best chance that new bugs will be patched relatively quickly.
“Time is of the essence when we discover these types of issues: the more quickly we address the risks, the less harm an attack can cause. Today, we are committing to publicly disclosing on our security Tumblr the vulnerabilities we discover within 90 days. By committing to this short time frame, we will help ensure that these vulnerabilities are patched as quickly as possible. We reserve the right to extend or shorten this timeline based on extenuating circumstances, including active exploitation, or known threats. We also commit to sharing the appropriate technical details so other parties can assess their risk and take appropriate action,” he said.