Google on Thursday outlined a series of initiatives aimed at enhancing its vulnerability management ecosystem and setting greater transparency measures around exploits.
“While the notoriety of zero-day vulnerabilities usually grabs the headlines, the risks persist even after they are known and fixed, which is a true story,” the company said. said in an announcement. “Those risks cover everything from lags in OEM adoption, patch testing issues, end user update issues and more.”
Security threats also stem from incomplete patches applied by vendors, with some wildly exploited zero-days turning into variants of previously patched vulnerabilities.
Mitigating these risks requires addressing the root causes of vulnerabilities and prioritizing modern, secure software development practices to eliminate entire classes of threats and block potential attack pathways.
Taking these factors into account, Google said it is establishing a Hacking Policy Council to “ensure new policies and regulations support best practices for vulnerability management and disclosure.”
The company further emphasizes that it is committed to publicly disclosing incidents when it finds evidence of active exploitation of vulnerabilities across its product portfolio.
Finally, the tech giant said it is instituting a Security Research Legal Defense Fund to provide initial funding for legal representation for individuals engaged in research in good faith to find and report vulnerabilities in a way that advances cybersecurity.
Google’s latest security push speaks to the need to look beyond zero days by complicating exploits, encouraging timely adoption of patches for known vulnerabilities, setting up policies to address product lifecycles, and making users aware when products are actively exploited.
It also serves to highlight the importance of applying secure design principles during all phases of the software development life cycle.
The disclosure comes as Google launches a free API service on the phone deps. dev API in an effort to secure the software supply chain by providing access to security metadata and dependency information for more than 50 million versions of five million open source packages found in the Go, Maven, PyPI, npm, and Cargo repositories.
In a related development, Google’s cloud division has also announced general availability of Assured Open Source Software (Assured OSS) services for the Java and Python ecosystems.