Google defines disclosure timeline for actively exploited bugs
The debate regarding responsible vulnerability disclosure and full vulnerability disclosure has been started many times in the past, and it’s an issue that will continue to be debated in the future even though the likelihood of reaching a consensus is practically nil.
Some companies like French security firm Vupen have long ago stopped providing free vulnerability information to software vendors and have turned to selling it to the highest (allegedly verified and approved) bidder. Others, like Google, still believe in sharing that information with the vendors.
Several years ago, Google has opted for responsible disclosure that included giving vendors 60 days to issue a fix for critical vulnerabilities that Google engineers found during unrelated research, but they have also said that they would be supportive of their researchers “setting an aggressive disclosure deadline where there exists evidence that blackhats already have knowledge of a given bug.”
The statement was elaborated on Wednesday, when Google security engineers Chris Evans and Drew Hintz took to the company’s official online security blog to say that giving 7 days to vendors to implement any kind of fix for an actively exploited vulnerability is more than enough.
“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” they wrote.
“As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.”
The blog post was prompted by Google researchers’ discovery of a “previously unknown and unpatched vulnerability in software belonging to another company” that is actively being targeted by attackers.
Unfortunately, there is no mention of what that software may be, but I can’t help wonder whether it has something to do with the recent revelation by researcher Tavis Ormandy of the existence of a new Windows zero-day vulnerability that supposedly affects all currently supported versions of the OS.