I think the stance of Chris Evans and Drew Hintz over at Google on a 60‑day turnaround of vulnerability fixes from discovery, and a 7-day turnaround of fixes for actively exploited unpatched vulnerabilities, is rather naive and devoid of commercial reality.
As a web services company it is much easier for Google to develop and roll out fixes promptly - but for 95+% of the rest of the world's software development companies making thick-client, server and device-specific software this is unrealistic.
Statements like these from Google clearly serve their business objectives. As predominantly a web services company with many of the world's best software engineers and researchers working for them. One could argue that Google's applications and software should already be impervious to vulnerabilities (i.e. they should have discovered them themselves through internal QA processes) - rather than relying upon external researchers and bug hunters stumbling over them.
With that in mind, I'd be more inclined to say that Google (and any web-based service provider - e.g. Salesforce.com, etc.) should be fixing disclosed vulnerabilities within 48 hours of knowledge of them and, in the case of 0-day's the turnaround should be within 12 hours. While the 12-hour turnaround may not be the "final" fix - something could be rapidly put in place to prevent exploitation at the very least.
From an IOActive perspective, when I think of the vulnerabilities we uncover in ICS, medical devices and enterprise-level solutions software, on a daily basis I'm cognizant of the effort that goes on behind the scenes as these manufacturers drive through sophisticated QA processes to ensure their fixes work for all possible customer configurations.
Unlike a flaw in Gmail which allows someone to conduct a cross-site scripting attack - in many cases we're talking about vulnerabilities that have national security implications and huge monetary and safety implications.
I'd hope that Google's pursuit of shorter patch release timeframes are genuinely to make the Internet a safer place - but I fear that this latest position may be more of a competitive business statement, rather than a naive understanding of non-web service development cycles.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.