Google Cloud has announced a significant expansion of its security transparency efforts by committing to assign Common Vulnerabilities and Exposures (CVE) identifiers to critical vulnerabilities found in its cloud products, even when no customer action is required.
This move, effective immediately, underscores Google Cloud’s dedication to enhancing security practices and fostering trust within the IT ecosystem.
The CVE system has become a crucial component in building trust across the technology landscape. It serves as a standardized tracking mechanism that helps users of software and services identify and prioritize vulnerabilities.
By issuing CVEs for critical Google Cloud vulnerabilities, Google aims to provide customers and security researchers with a comprehensive view of potential security issues.
To distinguish vulnerabilities that do not require customer action, Google Cloud will introduce an “exclusively-hosted-service” tag in the CVE records. This tag will indicate that the vulnerability has been addressed internally by Google, requiring no additional steps from customers.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Google To Issue CVEs For Cloud Vulnerabilities
Phil Venables, CISO of Google Cloud, emphasized the importance of this initiative, stating, “Transparency and shared action, to learn from and mitigate whole classes of vulnerability, is a vital part of countering bad actors. We will continue to lead and innovate across the community of defenders.”
This expanded CVE program aligns with recommendations from the Cyber Safety Review Board (CSRB), which has highlighted the critical role of strong security commitments in preventing errors and breaches.
The move is particularly relevant in light of recent incidents, such as the Storm-0558 attack that compromised the email accounts of various organizations, including government agencies.
Google Cloud’s commitment to vulnerability transparency builds upon its 20-year history of collaboration with external security researchers. The company has been a CVE Numbering Authority since 2011 and has issued over 8,000 CVEs across its consumer and enterprise products. In 2022, Google became one of MITRE’s four Top-Level Roots, further solidifying its role in the security community.
This initiative complements Google Cloud’s existing Vulnerability Reward Program (VRP), which offers bug bounties of up to $100,000 for security issues discovered in its products and services.
While the VRP focuses on strengthening Google Cloud’s security posture through collaboration with external researchers, the expanded CVE program aims to provide a comprehensive tracking system for publicly known vulnerabilities.
By normalizing a culture of transparency around security vulnerabilities, Google Cloud reinforces its commitment to a shared fate model, working alongside customers to continuously improve security measures across its platform.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.