Penetration testers aim at open and closed source software

Dec 10, 2014 21:47 GMT  ·  By
Yahoo is giving developers 90 days to fix zero-days, or else everything is made public
5 photos
   Yahoo is giving developers 90 days to fix zero-days, or else everything is made public

Yahoo’s security team disclosed that every vulnerability discovered in their penetration tests would be revealed publicly after a period of 90 days.

One of the team’s responsibilities is to assess the security level of the software written by Yahoo, as well as of code from third-parties that has been integrated in services provided by the company.

Affected entities will be informed of the problem found

Called Yahoo Paranoids, and led by Chris Rohlf, the group runs attacks against the infrastructure in order to find new weaknesses a threat actor may be able to exploit.

“This process helps us uncover vulnerabilities not only in the software that Yahoo has written but in the common open-source and commercial products that we use on our network,” Rohlf wrote on Tuesday in a Tumblr post.

As per the new policy, zero-days are remedied immediately by the security experts, who also alert other entities that may be impacted by the problem, as well as the US-CERT (Computer Emergency Readiness Team) in order to issue a Common Vulnerabilities and Exposures (CVE) identifier for better tracking of the issue.

Although 90 days may seem like a short period to allow the developer of the code to fix a glitch, a wider time frame would only increase the risk to the users by giving cybercriminals the opportunity to find the flaw themselves and exploit it. This is not a set period of time, though.

“We reserve the right to extend or shorten this timeline based on extenuating circumstances, including active exploitation, or known threats,” Rohlf writes.

Security experts understand that sometimes 90 days may not be enough

Cybercriminals are successful because they are constantly searching for zero-days that can be exploited, and through this disclosure policy, Yahoo takes a proactive stance against this practice.

Not just third-party code is covered by this policy, as Yahoo software will be subject to the same treatment, too. Of course, since the communication is internal, fixing the problems in the assigned time line should be easier to achieve.

Public disclosure of the vulnerability after 90 days depends on several factors, one of them being the difficulty in addressing the flaw, which sometimes may require more time for a patch to be released.

However, if no or very little progress is recorded since the date of the private report, Yahoo reserves the right to make everything public, in order to give organizations the possibility to take defensive measures or to prepare a patch themselves.

New Yahoo security policy (5 Images)

Yahoo is giving developers 90 days to fix zero-days, or else everything is made public
Chris Rohlf - head of pentesting at YahooYahoo code is subject to the same disclosure treatment
+2more