Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Thread beginning with comment 563459
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:

+1, and if I'm understanding correctly, just posting an advisory is enough to put off the disclosure (at least temporarily?)

If so this seems like a non issue, and like you said, just bad PR

Reply Parent Score: 2

Vanders Member since:

just posting an advisory is enough to put off the disclosure (at least temporarily?)

Hopefully it depends on what the definition of "advisory" is. A full CVE is an advisory. "lol there's totally a bug guiz! h4x!" isn't.

Reply Parent Score: 3

chithanh Member since:

I think it is mostly accepted that an advisory at least contains descriptions of the following:

1. affected product(s)
2. impact
3. countermeasures

Anything less and letting Google disclose the vulnerability would be preferable to me.

Reply Parent Score: 2

JAlexoid Member since:

As much as I read the reports it's the "journalists" blowing it out of proportion(with partial reporting) and Microsoft fanboys jumping onto slamming Google.

Reply Parent Score: 3