Google Cuts Down Zero-Day Disclosure Period To 7 Days

If the company responsible for the software doesn’t fix zero-day vulnerabilities in seven days, Google will spread the word

Google has reduced the period between disclosing vulnerabilities to relevant third-party software developers and announcing them to the wider world.

For unknown and unpatched ‘zero-day’ vulnerabilities under active attack, Google will keep its discovery quiet for seven days only, instead of the usual two months.

Over the years, Google has disclosed dozens of actively exploited zero-day vulnerabilities to affected vendors, including XML parsing vulnerabilities, universal cross-site scripting bugs and targeted web application attacks.

Zero-day threat

Google said that in the past, it has uncovered zero-day vulnerabilities that were exploited to target small groups of people, such as political activists in less stable parts of the world. And in these cases, timely action could literally mean the difference between life and death.

alexskopje

Google’s standard period for keeping exploits under wraps is 60 days, but based on its experience, exploited critical vulnerabilities can and will be disclosed by its researchers in just seven days.

“The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” wrote Chris Evans and Drew Hintz, security engineers at Google.

“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information.”

If seven days pass, and the responsible organisations haven’t issued a patch or advisory, Google will take matters into its own hands and inform the community so users can protect themselves. The company has promised to hold itself to the same standard.

But not everyone thinks Google is doing the right thing, at least from the business perspective. “I think the stance of Chris Evans and Drew Hintz over at Google …  is rather naïve and devoid of commercial reality. As a web services company it is much easier for Google to develop and roll out fixes promptly – but for 95+ percent of the rest of the world’s software development companies making thick-client, server and device-specific software this is unrealistic,” told TechWeekEurope Gunter Ollmann, CTO of IOActive.

Are you a Google expert? Take our quiz!

Originally published on eWeek.