Linked by Thom Holwerda on Sat 1st Jun 2013 18:43 UTC
Privacy, Security, Encryption Google is changing its disclosure policy for zero-day exploits - both in their own software as in that of others - from 60 days do 7 days. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." I support this 100%. It will force notoriously slow-responding companies - let's not mention any names - to be quicker about helping their customers. Google often uncovers vulnerabilities in other people's software (e.g. half of patches fixed on some Microsoft 'patch Tuesdays' are uncovered by Google), so this could have a big impact.
Thread beginning with comment 563498
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Comment by Nelson
by lucas_maximus on Mon 3rd Jun 2013 10:33 UTC in reply to "RE[3]: Comment by Nelson"
lucas_maximus
Member since:
2009-08-18

Sometimes there is no quick fix or it isn't easily identifiable.

Everyone assumes this fantasy scenario where things can be fixed instantly by a bit of heroic coding.

In corporations you don't just throw a patch in and hope it sticks. These longer processes are in place for a reason ... most of them legal.

Edited 2013-06-03 10:40 UTC

Reply Parent Score: 2

RE[5]: Comment by Nelson
by cfgr on Mon 3rd Jun 2013 12:20 in reply to "RE[4]: Comment by Nelson"
cfgr Member since:
2009-07-18

All too often there is no quick fix due to: 1) a lack of testing before release, 2) negligence, 3) too much bureaucracy.

In corporations you don't just throw a patch in and hope it sticks. These longer processes are in place for a reason ... most of them legal.

Exactly, so use the 'legal' argument to alter these processes. If it costs money, too bad. When a household appliance is malfunctioning, the manufacturer is held accountable as well. It's called warranty and it lasts at least 2 years in Europe. From europa.eu: "If a product cannot be repaired or replaced within a reasonable time or without inconvenience, you may request a refund or price reduction." Most companies seem to have a policy of about two weeks (and that includes returning and reshipping, which are not applicable for software.)

Those longer processes are in place for one reason only: to save money. And it saves them money because they are not held accountable for the downsides of those processes (i.e. long times until security issues get fixed). So make it cost those corporations money for willfully putting their customers at risk longer than necessary and they'll change their priorities.

By altering the market conditions a bit, it will (perhaps slowly, but steadily) optimise itself for these new conditions: those who fail to invest in security will disappear, those with good security practices will be rewarded and their "processes" will be copied and optimised further.

Edited 2013-06-03 12:20 UTC

Reply Parent Score: 3

RE[6]: Comment by Nelson
by lucas_maximus on Mon 3rd Jun 2013 15:46 in reply to "RE[5]: Comment by Nelson"
lucas_maximus Member since:
2009-08-18

This sounds like the usual nonsense from someone who doesn't work software industry.

Long processes are in there to stop these sort of mistakes happening in the first place or worse making the situation worse.

Reply Parent Score: 2