Google will make critical security exploits known after a week

Dave LeClair

Posts: 75   +1

Google and its team of security researchers are known for catching some of the biggest security exploits in other companies' products. Normally, the period for revealing a flaw to the general public is 60 days, which gives the affected company enough time to fix the problem. However, Google has decided to change that policy, and instead will start making exploits known in a week. 

This change only applies to critical vulnerabilities that are actively being exploited. Google says that each day such a vulnerability is unknown and unpatched, more computers are bound to be compromised. 

The decision comes shortly after Google engineer Tavis Ormandy disclosed a publicly unknown vulnerability found in Windows 7 and Windows 8. In that case, the announcement was made only five days after Microsoft was informed of the bug, with Ormandy calling Microsoft's security team "difficult to work with." 

Google finds bugs and vulnerabilities in software from many companies, but Redmond is certainly a frequent target. For example, in February Microsoft issued a huge patch, and in that case about half of the flaws fixed were discovered by the search giant's engineers. 

Of course, this is a hotly contested issue. Google believes that a week is enough time to tell users about workarounds that mitigate the problem, even if not long enough to issue a proper patch. On the other side, opponents believe that reporting the bug before there is a fix puts hacking tools in the hands of malicious users.

While the move puts extra pressure on companies to fix critical flaws on their software, Google will keep the standard 60 day grace period for non-critical problems and flaws not actively being exploited.

Permalink to story.

 
Hopefully it will motivate the other companies to issue fixes faster. Rather than sitting on their hands... I agree with Google on this. If they know there is a security flaw, who's to say that others haven't found it as well. So waiting 60 days could be more dangerous than announcing it publicly sooner.
 
How kind of Google to worry about someone else's software. Who worries about theirs? Certainly not M$ unless they're being paid.
 
I hope it doesn't lead to poorly tested patches. I get that the flaw is a problem, but it takes time to make a fix and test that the patch didn't break other sections of your code.
 
I hope it doesn't lead to poorly tested patches. I get that the flaw is a problem, but it takes time to make a fix and test that the patch didn't break other sections of your code.
How else would they be able to send out consecutive patches? At least with the patching we fall under a false sense of thinking they are doing something. What would we think if they didn't have anything to patch?

I guess you can tell I don't have any respect for a company that wants everyone around the globe paying them yearly. I tend to wonder where it all goes. And if I really knew, I'd probably be pissed instead of just disappointed.
 
I agree with Google on this one. I'm not sure it would be right to leave the users at risk for 60 days just because the other company didn't make their product right the first time or wants to put off fixing the security flaw. I think a smaller window will help push these companies to take those security flaws more seriously.

Also, Google is basically doing their jobs by finding these security flaws for them; That makes it a bit more difficult to criticize them :p
 
I agree with Google on this one. I'm not sure it would be right to leave the users at risk for 60 days just because the other company didn't make their product right the first time or wants to put off fixing the security flaw. I think a smaller window will help push these companies to take those security flaws more seriously.

Also, Google is basically doing their jobs by finding these security flaws for them; That makes it a bit more difficult to criticize them :p


How do you figure? When that one company from Pwn2Own decided they didn't want to release the exploits that they took the time to figure out. Google threw a hissy fit and made their own competition. Either play by the rules or don't. Don't be a hypocrite.
 
How do you figure? When that one company from Pwn2Own decided they didn't want to release the exploits that they took the time to figure out. Google threw a hissy fit and made their own competition. Either play by the rules or don't. Don't be a hypocrite.


Actually, if Google was upset that they didn't release the exploits, then that would make Google a hypocrite only if they are NOT releasing the exploits. Since Google is now releasing them even faster, it is actually being the exact opposite of a hypocrite.

And what are these "rules" you're talking about? Google is the one who found the exploits; the "rules" concerning the release of those exploits are whatever Google says they are.
 
Back