Google Security Pushes for 7-Day Vulnerability Publishing
May 30, 2013 2:29 PM
This could encourage companies to issue security patches more quickly
is backing a new seven-day deadline that would allow researchers to make serious vulnerabilities public a week after notifying a company.
Google security engineers Chris Evans and Drew Hintz said they want critical vulnerabilities under active exploitation to be published seven days after researchers have informed the company about them. They said this will lead to quicker patches and cut the risk of further problems in the future.
“Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds,” said Evans and Hintz. “We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action — within seven days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Right now, companies use either responsible disclosure or full disclosure when dealing with vulnerabilities. Responsible disclosure allows a company as much time as they want to patch an exploit, and the details surrounding the bug aren't revealed to the public until a patch is issued. Full disclosure, on the other hand, means the company and the public are given information about the flaw at the same time.
Three years ago, Google's security team introduced a 60-day notice in order to find a happy medium between the two disclosures. This meant that researchers could publish details about a flaw for the public to see after 60 days whether a patch was issued or not.
But it looks like Google is taking this a giant step further by advocating a new seven-day deadline, where researchers can make details about a flaw public only a week after telling the company about it.
However, Google realizes that seven days is not enough time to patch all vulnerabilities. Even if a company can't address the bug in seven days, the researchers could still publish the details of the software flaw after a week so that the public can protect itself.
Earlier this month, Google security engineer Tavis Ormandy
exposed a Microsoft flaw
on Full Disclosure. The Microsoft vulnerability, which was in the Windows kernel driver "Win32k.sys," was featured in a Full Disclosure mailing list on May 17.
Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)."
Microsoft has been annoyed with Ormandy for publicly discussing vulnerabilities before they could be patched. Microsoft prefers "responsible disclosure," where security experts are asked to report flaws privately to the company.
Google Online Security Blog
"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer
Google Engineer Finds Microsoft Security Flaw, Says Company is Hostile About It
May 23, 2013, 10:51 AM
Science & Environment
February 20, 2017, 6:37 AM
The USA’s newest weather satellite sends first photos.
January 24, 2017, 6:41 AM
Netflix took a decision to invest in original content
January 19, 2017, 7:00 AM
Amazon Airborne Fulfillment Center – Your Merchandise Drop-Shipped from the Clouds
December 29, 2016, 5:00 AM
Amazon is experimenting with a new kind of grocery stores, Amazon Go
December 8, 2016, 5:00 AM
Google has developed Deep Learning Algorithm to detect Diabetic Eye Disease
December 4, 2016, 5:00 AM
Most Popular Articles
Lenovo MIIX 510 – Excellent 2-In-One Tablet with Unique Watchband Hinge
March 17, 2017, 7:50 AM
Samsung Galaxy S8, Rumored Launch Date!
March 18, 2017, 6:45 AM
Gigabyte GA-Z170X-Gaming G1 – Intel Thunderbolt 3 Certified Motherboard
March 9, 2017, 6:25 AM
Xiaomi Mi Note 2 – This Chinese Phablet is the Best
February 24, 2017, 7:25 AM
Lenovo ThinkPad T460 - Ultra-Thin and Feather-light
March 3, 2017, 6:00 AM
Latest Blog Posts
Apple Announces new color for iPhones and iPads
Mar 22, 2017, 7:45 AM
Instagram: You Can Now Save Live Videos For Later
Mar 21, 2017, 7:49 AM
Samsung Galaxy S8 to Get New Color Scheme
Mar 20, 2017, 7:45 AM
What else to worry about?
Mar 17, 2017, 6:45 AM
Icon of the Day: Intel/ NVIDIA or Mobileye
Mar 16, 2017, 6:15 AM
JUST IN - Twitter Hijacked : High-Profile Account Accesses
Mar 15, 2017, 7:07 AM
Mar 14, 2017, 7:30 AM
News and Tips
Mar 13, 2017, 6:30 AM
iPhone 8 – May Not Get Curved Screen
Mar 11, 2017, 8:00 AM
California paves way to self-driving car tests without humans
Mar 11, 2017, 7:18 AM
Smart Machines V hackers
Mar 10, 2017, 7:00 AM
Uber Can Resume Autonomous Car Testing in California
Mar 9, 2017, 6:50 AM
Mar 8, 2017, 7:09 AM
Mar 7, 2017, 8:45 AM
World news 3-6
Mar 6, 2017, 5:40 AM
Mar 4, 2017, 7:40 AM
Mixed News of the Day
Mar 4, 2017, 6:32 AM
Jaguar Land Rover invests in ride-sharing
Mar 3, 2017, 7:00 AM
Mixed News of The World:
Mar 2, 2017, 7:02 AM
World New 3-1
Mar 1, 2017, 6:30 AM
Gaming News of The Day
Feb 28, 2017, 6:56 AM
More Blog Posts
Copyright 2017 DailyTech LLC. -
Terms, Conditions & Privacy Information