mailing list archives
Google cuts grace period for vendors of vulnerable software
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 3 Jun 2013 01:52:12 -0400
Google is shortening the amount of time it gives to makers of
vulnerable software and web services if there is imminent danger. The
Google security team say that if they encounter a zero-day issue that
is already being actively used for cyber attacks, it will grant the
affected manufacturer just seven days grace to fix the vulnerabilities
or publish an advisory with mitigation strategies for users.
After seven days, Google wants to publish details of the vulnerability
in such a way that users of the vulnerable software can protect
themselves from attacks. Previously, the company had given vendors
sixty days before it went public with details of vulnerabilities.
Google says, though, that it has found zero-day vulnerabilities being
used to target a limited subset of people and this targeting makes the
attack more serious than a widespread attack and more important to
resolve quickly, especially where political activists are being
compromised and the attacks can have "real safety implications" in
some parts of the world.
Google admits the seven day period is an "aggressive time frame" but
that it offers sufficient time for a vendor to either publish advice
on how to, for example, temporarily disable a service, restrict access
or offer contact information to provide more direct assistance. "Each
day an actively exploited vulnerability remains undisclosed to the
public and unpatched, more computers will be compromised" says Google
saying it also plans to hold itself to the same standard and hopefully
improve the coordination of both web security and vulnerability
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.
- Google cuts grace period for vendors of vulnerable software Jeffrey Walton (Jun 03)