Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Thread beginning with comment 563494
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Comment by Nelson
by lucas_maximus on Mon 3rd Jun 2013 07:03 UTC in reply to "RE: Comment by Nelson"
lucas_maximus
Member since:
2009-08-18

You have no idea do you?

I work on a fairly small code-base if there is a bug, it can take weeks before it goes through the QA process and I get the go-ahead to release.

This is not taking into account my own time ... and when I can be put on task for it.

Reply Parent Score: 2

RE[3]: Comment by Nelson
by cfgr on Mon 3rd Jun 2013 09:47 in reply to "RE[2]: Comment by Nelson"
cfgr Member since:
2009-07-18

You have no idea do you?

I work on a fairly small code-base if there is a bug, it can take weeks before it goes through the QA process and I get the go-ahead to release.

This is not taking into account my own time ... and when I can be put on task for it.


Then maybe there is something wrong with the whole process. I'd say: hold companies accountable starting 7 days after they've been notified. Let good old capitalism take care of this. You'll be surprised how quickly the process adapts towards better security (fixing and prevention).

Reply Parent Score: 3

RE[4]: Comment by Nelson
by lucas_maximus on Mon 3rd Jun 2013 10:33 in reply to "RE[3]: Comment by Nelson"
lucas_maximus Member since:
2009-08-18

Sometimes there is no quick fix or it isn't easily identifiable.

Everyone assumes this fantasy scenario where things can be fixed instantly by a bit of heroic coding.

In corporations you don't just throw a patch in and hope it sticks. These longer processes are in place for a reason ... most of them legal.

Edited 2013-06-03 10:40 UTC

Reply Parent Score: 2

RE[3]: Comment by Nelson
by JAlexoid on Mon 3rd Jun 2013 11:27 in reply to "RE[2]: Comment by Nelson"
JAlexoid Member since:
2009-05-19

A bug is not the same as a critical security vulnerability. If you lump them together, then it's you who has no clue.

Security vulnerabilities have high priorities and just like bugs are classified Minor, Moderate, Major and Critical.
I've had to patch a few critical security vulnerabilities. The total response time for them ranges 8-72 hours, including QA. A week to patch, or even put out an advisory, is exceptionally generous.

Reply Parent Score: 3

RE[4]: Comment by Nelson
by lucas_maximus on Mon 3rd Jun 2013 11:43 in reply to "RE[3]: Comment by Nelson"
lucas_maximus Member since:
2009-08-18

A bug is not the same as a critical security vulnerability. If you lump them together, then it's you who has no clue.


Since we are talking about software, most would consider it a software defect which is more commonly known as a bug. Sorry you are being a pedantic dick-piece.

Security vulnerabilities have high priorities and just like bugs are classified Minor, Moderate, Major and Critical.

I've had to patch a few critical security vulnerabilities. The total response time for them ranges 8-72 hours, including QA. A week to patch, or even put out an advisory, is exceptionally generous


But you still have to go through a change management process.

Also you make no mention of whether you actually created the patch, deployed it or the complexity.

i.e. Fixing an SQL injection vunerability is relatively easy compared to something like patching a vunerability in some critical part of the OS.

I can claim to have fixed critical security vunerabilities when all I really did was change a particular procedure to use parameterised queries and a SPROC.

Edited 2013-06-03 11:45 UTC

Reply Parent Score: 3