Slashdot Mirror

← Back to Stories (view on slashdot.org)

Questioning Google's Disclosure Timeline Motivations

Posted by timothy on from the comparative-advantage dept.

An anonymous reader writes "The presence of 0-day vulnerability exploitation is often a real and considerable threat to the Internet — particularly when very popular consumer-level software is the target. Google's stance on a 60day turnaround of vulnerability fixes from discovery, and a 7-day turnaround of fixes for actively exploited unpatched vulnerabilities, is rather naive and devoid of commercial reality. As a web services company it is much easier for Google to develop and roll out fixes promptly — but for 95+% of the rest of the world's software development companies making thick-client, server and device-specific software this is unrealistic. Statements like these from Google clearly serve their business objectives. As predominantly a web services company with many of the world's best software engineers and researchers working for them. One could argue that Google's applications and software should already be impervious to vulnerabilities (i.e. they should have discovered them themselves through internal QA processes) — rather than relying upon external researchers and bug hunters stumbling over them."

5 of 73 comments (clear)

  1. Just Google? by chrylis · · Score: 5, Insightful

    Why single out Google? Shouldn't traditional software vendors have also run programs through QA?

    1. Re:Just Google? by Nerdfest · · Score: 5, Insightful

      Most other companies doesn't have well funded FUD campaigns directed against them.

  2. Re:You suck by JMJimmy · · Score: 5, Insightful

    Also, even if they can't patch it quickly the point is to inform users so they can take appropriate precautions.

  3. Critical vulnerabilities under active exploitation by mattiaza · · Score: 5, Informative

    Google recommends 7 days for "critical vulnerabilities under active exploitation", and 60 days for vulnerabilities that are assumed to not yet be known to attackers.

    Frankly, even 7 days is too long for active attacks. Publishing the vulnerability lets users to use a workaround or shut down the service or app entirely until a fix is released.

  4. What?! by CanEHdian · · Score: 5, Insightful

    a 7-day turnaround of fixes for actively exploited unpatched vulnerabilities, is rather naive and devoid of commercial reality. As a web services company it is much easier for Google to develop and roll out fixes promptly — but for 95+% of the rest of the world's software development companies making thick-client, server and device-specific software this is unrealistic

    Hello there, mr/ms/mrs anonymous COWARD, what are you saying there? It COSTS TOO MUCH to prompty (as in a week) fix ACTIVELY EXPLOITED vulnerabilities? When you get the actual problem handed to you on a silver platter? What company do you work for?

    --
    When the copyright term is "forever minus a day", live every day like it's the last.