On Thursday, Google outlined a series of initiatives aimed at improving its vulnerability management ecosystem and establishing measures to increase transparency around exploits.
“Zero-day notoriety usually makes the headlines, but risks remain even after they are known and fixed. This is the real story,” the company said in a statement. “These risks range from OEM adoption lags to patch testing issues to end-user update issues.”
Security threats also arise from incomplete patches applied by vendors. Some zero-day exploits in the wild have turned out to be variants of previously patched vulnerabilities.
Mitigating such risks requires addressing the root causes of vulnerabilities and prioritizing modern secure software development practices to eliminate entire classes of threats and block potential attack vectors. .
Given these factors, Google said it would establish a Hacking Policy Council to “ensure new policies and regulations that support best practices in vulnerability management and disclosure.”
The company further emphasized that it is committed to publicizing incidents if it finds evidence of vulnerabilities being actively exploited across its product portfolio.
Finally, the tech giant launched the Security Research Act to provide seed funding for legal representation to individuals who engage in good faith research to find and report vulnerabilities in ways that advance cybersecurity. He said he was establishing a public defense fund.
Google’s latest security push has made exploitation harder in the first place, driven timely adoption of patches for known vulnerabilities, set policies that address product lifecycles, and empowered users to know when products will be released. By letting us know, it speaks to the need to look beyond zero days. actively exploited.
It also serves to highlight the importance of applying secure-by-design principles at all stages of the software development lifecycle.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!
Save my seat!
This disclosure indicates that Google has launched a free API service called the deps.dev API to protect the software supply chain by providing security metadata for over 50 million versions of 5 million open source packages found in Go, Maven, and more. It was done by providing access to data and dependency information. , PyPI, npm, and Cargo repositories.
In a related development, Google’s cloud division also announced the general availability of Assured Open Source Software (Assured OSS) services for the Java and Python ecosystems.
