Google Advocates 7-Day Deadline For Vulnerability Disclosure

Posted by timothy on Thursday May 30, 2013 @02:50AM from the on-the-7th-day-you-can-rest dept.

Trailrunner7 writes "Two security engineers for Google say the company will now support researchers publicizing details of critical vulnerabilities under active exploitation just seven days after they've alerted a company. That new grace period leaves vendors dramatically less time to create and test a patch than the previously recommended 60-day disclosure deadline for the most serious security flaws. The goal, write Chris Evans and Drew Hintz, is to prompt vendors to more quickly seal, or at least publicly react to, critical vulnerabilities and reduce the number of attacks that proliferate because of unprotected software."

1 of 94 comments (clear)

Min score:

Reason:

Sort:

Re:And when they get bitten in the ass? by fuzzyfuzzyfungus · 2013-05-30 03:25 · Score: 4, Interesting

Seem like they recommending it only for "critical vulnerabilities under active exploitation".

Honestly, I'm a bit surprised that they offer even seven days of cover for vulnerabilities with detected exploits. I can certainly see the wisdom of the "Please, don't release 'proof of concept exploit toolkit, not for use for evil' ten minutes after emailing the vendor about the problem..." appeal; but I'd be inclined to report the discovery of an active exploit immediately, as being a noteworthy event in itself.