Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Permalink for comment 563577
To read all comments associated with this story, please click here.
RE[9]: Comment by Nelson
by JAlexoid on Tue 4th Jun 2013 11:38 UTC in reply to "RE[8]: Comment by Nelson"
Member since:

They might have a higher priority, but they are not magically simpler to fix in a robust and responsible manner.

Never did I say that it's easier. If anything it's harder due to pressure. And responsible comes later.

companies in general rushing fixes leads to worse solutions, and gives context to why they have such processes

A fix is not always a code patch. Sometimes it's a workaround, which is a temporary fix.

A full 60 days is an extraordinary amount of time.

A full 7 days of response is a massive amount of time for a critical vulnerability.

I think I'd be a little concerned to work at a company that threw established process away in the favor of brevity

And where are you getting that from? Also most established SDPs have to accommodate this kind of urgency, where applicable.

Thankfully, Software engineering is not the same as open heart surgery.

Thankfully it isn't, but in a lot of cases lives and livelihoods can be affected.

Not everyone has an SLA

Yes, not everyone. There is a reason why some companies hate the idea that Google will start disclosing that information early. These companies have SLA's with their clients that state that they have to release fixes(temporary and permanent) for publicly disclosed vulnerabilities in certain amount of time or pay hefty fines.

Reply Parent Score: 3