Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Thread beginning with comment 563446
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment by Nelson
by silviucc on Sat 1st Jun 2013 20:07 UTC in reply to "Comment by Nelson"
silviucc
Member since:
2009-12-05

The point of the matter is that people affected by a 0-day should know ASAP.

Some other news outlets erroneously reported something along the lines of "they better have a fix in 7 days or else". Mitigation should be possible if not by the vendor at least by the customer(s).

That 7 day window is already too large because I have the feeling that once a 0-day is uncovered and reported , the people that could do harm already know about it.

I hope there are not people in the crowd following OSnews that believe that blackhats get their exploit info from reading CVEs ;)

Reply Parent Score: 6

RE[2]: Comment by Nelson
by Nelson on Sat 1st Jun 2013 21:13 in reply to "RE: Comment by Nelson"
Nelson Member since:
2005-11-29


That 7 day window is already too large because I have the feeling that once a 0-day is uncovered and reported , the people that could do harm already know about it.


Have BlackHats traditionally independently discovered and exploited the same 0day a WhiteHat disclosed? I don't doubt they have the skill to discover an exploit, I'm just not certain if they'd be one in the same.

Reply Parent Score: 2

RE[3]: Comment by Nelson
by silviucc on Sat 1st Jun 2013 21:31 in reply to "RE[2]: Comment by Nelson"
silviucc Member since:
2009-12-05

No dude, I'm sure that they "discover" exploits by reading CVEs. LoL

Edited 2013-06-01 21:32 UTC

Reply Parent Score: 2

RE[3]: Comment by Nelson
by Laurence on Mon 3rd Jun 2013 08:15 in reply to "RE[2]: Comment by Nelson"
Laurence Member since:
2007-03-26


Have BlackHats traditionally independently discovered and exploited the same 0day a WhiteHat disclosed? I don't doubt they have the skill to discover an exploit, I'm just not certain if they'd be one in the same.

Sometimes vulnerabilities are found that black hats haven't discovered themselves. Often vulnerabilities are found black hats have already been aware of (and often even using already).

So it's better to assume that an exploit is already in common use and have full disclosure early on (and thus allow critical systems to have additional protections where necessary) than keep things secret until patches finally trickle their way downstream, in the hope that the white hats were lucky enough to find the vulnerability first (the former is security in practice, the latter is security through obscurity)

Edited 2013-06-03 08:17 UTC

Reply Parent Score: 4