Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Thread beginning with comment 563474
To view parent comment, click here.
To read all comments associated with this story, please click here.
Soulbender
Member since:
2005-08-18

If we are to believe that article 95% of the worlds software companies are run by, and employ, only incompetent buffoons. Granted, we all know that "enterprise software" is just another name for "software so crap that only corporate purchasing will buy it" but 95% is probably too high. Maybe 70%.

Seriously though, if a company can't get a fix, or at least an advisory with a workaround, out in 7 days they deserve to be out of business.

Reply Parent Score: 5

bhtooefr Member since:
2009-02-19

When you're dealing with an OS-level bug, where the fix could break tons of software (especially given that Windows 8 can still run Windows 3.0 software)?

Reply Parent Score: 3

chithanh Member since:
2006-06-18

When you're dealing with an OS-level bug, where the fix could break tons of software (especially given that Windows 8 can still run Windows 3.0 software)?

Then you release a hotfix along with your advisory, and your customers have to test whether their Windows 3.0 software still works with that fix before applying it to production systems.

Reply Parent Score: 4

Soulbender Member since:
2005-08-18

When you're dealing with an OS-level bug, where the fix could break tons of software


I really don't see how that would prevent releasing an advisory with a workaround, if one exist.

Reply Parent Score: 4

JAlexoid Member since:
2009-05-19

When you are reporting an exploitable "feature" present from Windows 3.0, then maybe that feature should be killed off? People that still run Windows 3.0 apps better have a good plan for migration and should be aware of the implications of running those apps.

Reply Parent Score: 3