Google Security Pushes for 7-Day Vulnerability Publishing
May 30, 2013 2:29 PM
This could encourage companies to issue security patches more quickly
is backing a new seven-day deadline that would allow researchers to make serious vulnerabilities public a week after notifying a company.
Google security engineers Chris Evans and Drew Hintz said they want critical vulnerabilities under active exploitation to be published seven days after researchers have informed the company about them. They said this will lead to quicker patches and cut the risk of further problems in the future.
“Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds,” said Evans and Hintz. “We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action — within seven days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Right now, companies use either responsible disclosure or full disclosure when dealing with vulnerabilities. Responsible disclosure allows a company as much time as they want to patch an exploit, and the details surrounding the bug aren't revealed to the public until a patch is issued. Full disclosure, on the other hand, means the company and the public are given information about the flaw at the same time.
Three years ago, Google's security team introduced a 60-day notice in order to find a happy medium between the two disclosures. This meant that researchers could publish details about a flaw for the public to see after 60 days whether a patch was issued or not.
But it looks like Google is taking this a giant step further by advocating a new seven-day deadline, where researchers can make details about a flaw public only a week after telling the company about it.
However, Google realizes that seven days is not enough time to patch all vulnerabilities. Even if a company can't address the bug in seven days, the researchers could still publish the details of the software flaw after a week so that the public can protect itself.
Earlier this month, Google security engineer Tavis Ormandy
exposed a Microsoft flaw
on Full Disclosure. The Microsoft vulnerability, which was in the Windows kernel driver "Win32k.sys," was featured in a Full Disclosure mailing list on May 17.
Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)."
Microsoft has been annoyed with Ormandy for publicly discussing vulnerabilities before they could be patched. Microsoft prefers "responsible disclosure," where security experts are asked to report flaws privately to the company.
Google Online Security Blog
“And I don't know why [Apple is] acting like it’s superior. I don't even get it. What are they trying to say?” -- Bill Gates on the Mac ads
Google Engineer Finds Microsoft Security Flaw, Says Company is Hostile About It
May 23, 2013, 10:51 AM
Google has developed Deep Learning Algorithm to detect Diabetic Eye Disease
December 4, 2016, 5:00 AM
Google plans ultra-fast wireless Internet for Research Triangle Park, N.C.
August 12, 2016, 6:30 AM
Twitter Senior VP: "Diversity is Important, But We Can’t Lower the Bar"
November 9, 2015, 9:59 AM
CNN Resorts to Internet Censorship to Promote Clinton Over Senator Sanders
October 15, 2015, 2:47 PM
Breaking Bad: How to Crash Google's Chrome Browser With Just 8 Characters
September 23, 2015, 11:08 AM
Quick Note: Amazon UK Offers £10 Back on Any Order £50 or Over
August 3, 2015, 12:05 PM
Most Popular Articles
Sales Battle - Apple iPad Mini vs Samsung Galaxy Tab
November 29, 2016, 12:36 AM
PlayStation 4 Pro – 4K Console for 4K TVs
November 28, 2016, 1:00 AM
Phillips 55’ 4K Smart TV – Is This Really a Deal? We Think So.
November 25, 2016, 9:44 AM
Google Wi-Fi – A Scalable Wi-Fi Solution for any size Home or Apartment
November 30, 2016, 1:00 AM
PIQ ROBOTTM reveals its new artificial intelligence software
November 29, 2016, 12:59 AM
Latest Blog Posts
Apple Car is Not Dead
Dec 5, 2016, 1:00 AM
Dec 4, 2016, 5:00 AM
Dec 3, 2016, 5:00 AM
Dec 2, 2016, 5:00 AM
Surface Ergonomic Keyboard
Dec 1, 2016, 3:01 AM
Chapeconense plane crash: Football rallies around Brazilian Team
Nov 30, 2016, 1:00 AM
How to Extends Your iPhone’s Battery Life
Nov 29, 2016, 12:49 AM
Nov 28, 2016, 1:12 AM
News: Fidel Castro
Nov 27, 2016, 5:00 AM
Nov 26, 2016, 5:00 AM
Changes in Social status affect the way genes turn on and off within immune cells.
Nov 25, 2016, 5:12 AM
Austrian far–right hopeful Hofer may back EU vote.
Nov 24, 2016, 4:00 AM
Final Fantasy XV Leaked Before Nov 29 Launch Date
Nov 23, 2016, 1:00 AM
Nov 22, 2016, 2:26 AM
Nov 21, 2016, 1:00 AM
HTC Makes Big Moves in China
Nov 20, 2016, 2:00 AM
Do you know who is the number one company in the word?
Nov 19, 2016, 5:30 AM
Foldable Cardboard ”EcoHelmet” wins James Dyson Award’s Top Prize
Nov 18, 2016, 2:39 AM
Scientists Discover Roundest Object Ever Spotted in Universe
Nov 17, 2016, 1:00 AM
Smallest Device Lets You Print Almost from Anywhere
Nov 16, 2016, 9:32 AM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information