Article
Exposing flaws to aid security
John Fitzpatrick, Security Consultant
Janaury, 2017
2 mins read
To support the identification of such a large quantity of security vulnerabilities (523 distinct coding flaws were identified) requires a great deal of effort and Google has done this effectively by engaging with the community. Only by identifying vulnerabilities can Google go about resolving them and they have done this on a large scale.
Indeed, we should be more concerned by companies who are not assigning CVEs, and question what security assurance activities they are undertaking.
Google is a large advocate of bug bounty programs, where it pays out and provides recognition for reporting bugs, especially those pertaining to exploits and vulnerabilities. Bug bounty programs can serve to help better secure products and, in this case, will have been a key catalyst in the number of CVEs we see today. Vulnerability hunters are now aware that by disclosing their discoveries to Google they will receive a financial reward and public recognition. This is obviously preferable to vulnerability hunters choosing not to report the issues and therefore increases the likelihood of the issue being exploited with malicious intent in the wild.
Google's own Project Zero team comprises experienced security researchers, whose primary task is to find bugs, break systems and publish detailed notes on how vulnerabilities have been discovered and exploited to the benefit of the security community. As a result, Google’s security contributions extend beyond simply its own products to include also the products that its customers use. To extrapolate from the CVE data that Google is doing poorly with regards to security is clearly too simplistic a view.
Sign up for the latest insights
Accreditations & Certificates
F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.
