It appears you have not yet registered with our community. To register please click here...

Go Back [M] > Madshrimps > WebNews
Google supports public virus disclosures Google supports public virus disclosures
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Google supports public virus disclosures
Thread Tools
Old 3rd June 2013, 11:26   #1
[M] Reviewer
Stefan Mileschin's Avatar
Join Date: May 2010
Location: Romania
Posts: 117,598
Stefan Mileschin Freshly Registered
Default Google supports public virus disclosures

Google has announced that the search engine will support security researchers publicising details of critical vulnerabilities under active exploitation after just seven days.

This means that is a security expert finds a flaw, Google will have just seven days to fix it before the researcher can make it all public.

If it is adopted widely it would mean that vendors have less time to create and test a patch than the previously recommended 60-day disclosure deadline for the most serious security flaws.

Writing in their blog, Google developers Chris Evans and Drew Hintz, said that the goal of the change is to prompt vendors to more quickly seal, or at least publicly react to, critical vulnerabilities and reduce the number of attacks that proliferate because of unprotected software.

It would mean an end to the days of vendors using responsible disclosure to delay issuing a fix as long as possible, sometimes even years.

Only once a patch is issued does a researcher reveal details of the software flaw. Under the concept of full disclosure, both the company and the public are given details at the same time.

Google broke ground on the problem when it issued the 60-day notice almost three years ago. It was seen as a compromise between full and responsible disclosures for critical vulnerabilities, particularly those that require complex coding to fix.

But since there are now zero-day exploits targeting unpatched software Google has decided that things need to be sped up.

The standing recommendation is that companies should fix critical vulnerabilities within 60 days. If a fix is impossible, they should notify the public about the risk and offer workarounds.

Based on Google's experience, more urgent action, within seven days, is appropriate for critical vulnerabilities under active exploitation.

The pair acknowledge a week's notice is unrealistic in some instances. But, they believe, it provides enough time for a company to provide mitigations such as temporarily disabling a service or restricting access to reduce the risks of further exploits in the wild.

The same deadline will apply to those bughunters who discover vulnerabilities in Google products too, they said.
Stefan Mileschin is offline   Reply With Quote

Similar Threads
Thread Thread Starter Forum Replies Last Post
Google Currents for Android now supports audio playback Stefan Mileschin WebNews 0 21st March 2013 07:10
YouTube Capture now supports 1080p uploads, Google Currents goes 2.0 on iOS Stefan Mileschin WebNews 0 25th January 2013 07:36
Google offering $99 Samsung Series 5 Chromebooks to public schools Stefan Mileschin WebNews 0 11th December 2012 07:35
Google Maps notches one million public transit stops worldwide Stefan Mileschin WebNews 0 16th August 2012 10:21
Gear4 speaker dock supports USB audio for Jelly Bean at Google I/O 2012 Stefan Mileschin WebNews 0 2nd July 2012 09:37
China Hacks Google Servers, Google decides to remove content filter on jmke WebNews 0 13th January 2010 15:39
Virus Bulletin Anti-Virus Reactive & Proactive Test Results jmke WebNews 4 9th August 2009 16:24
download virus Sidney General Madness - System Building Advice 4 14th September 2007 16:19
Virus in your mails! jmke WebNews 2 23rd December 2004 21:52
worm virus !!! Gamer Hardware/Software Problems, Bugs 14 13th August 2003 19:36

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

All times are GMT +1. The time now is 18:26.

Powered by vBulletin® - Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO