Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Thread beginning with comment 563453
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Comment by Nelson
by Nelson on Sat 1st Jun 2013 21:10 UTC in reply to "RE: Comment by Nelson"
Nelson
Member since:
2005-11-29

As usual, you vastly oversimplify a complicated matter.

There are a lot of variables involved in software engineering, and any one change can affect various hardware configurations running on that platform, especially something as important as say, Windows.

What one person considers a fix might break something else, and cause major quality headaches down the road.

How do you deal with that? Would you appreciate a Windows Update screwing your install? Itd be a disaster.

You can be advised via partial disclosure of a flaw and act accordingly. There is full disclosure, then there's being unreasonable.

There are potentially millions at risk, not something to be taken lightly.

Reply Parent Score: 2

RE[3]: Comment by Nelson
by Neolander on Sun 2nd Jun 2013 14:26 in reply to "RE[2]: Comment by Nelson"
Neolander Member since:
2010-03-08

Regarding security fixes, I would have spontaneously assumed that a company the size of Microsoft would have boatloads of automated regression tests in place in order to ensure that a security patch won't likely break a customer's machine (unless he is using code that binds to undocumented APIs or crap like that). Isn't that the case ?

Edited 2013-06-02 14:27 UTC

Reply Parent Score: 4

RE[4]: Comment by Nelson
by Nelson on Sun 2nd Jun 2013 16:30 in reply to "RE[3]: Comment by Nelson"
Nelson Member since:
2005-11-29

Yes I do assume so, which is likely why a proper fix would take time to develop and thoroughly assess. There are also obviously things not covered by tests yet, so identifying the root cause of the issue can probably lead to a more robust fix.

Reply Parent Score: 3