Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Permalink for comment 563510
To read all comments associated with this story, please click here.
RE[5]: Comment by Nelson
by JAlexoid on Mon 3rd Jun 2013 13:02 UTC in reply to "RE[4]: Comment by Nelson"
JAlexoid
Member since:
2009-05-19

most would consider it a software defect which is more commonly known as a bug

That is - for a fact - not true. Design flaws are not bugs. A lot of security vulnerabilities are and were not bugs, but a perfectly correct implementations of designs and requirements.

Sorry you are being a pedantic dick-piece.

And I just hope that you don't work on any of the software that stores my private information...

Also you make no mention of whether you actually created the patch, deployed it or the complexity.

How about all three steps, on multiple occasions and none of them were SQL injection.
And since when does anyone give a f**k about complexity when it comes to critical vulnerabilities?

Reply Parent Score: 3