Weekly Edition
Return to the Security page
| |||||||||||||
Google: Disclosure timeline for vulnerabilities under active attack
Google has announced
that it will be disclosing information on actively-exploited
vulnerabilities after seven days. "Seven days is an aggressive
timeline and may be too short for some vendors to update their products,
but it should be enough time to publish advice about possible mitigations,
such as temporarily disabling a service, restricting access, or contacting
the vendor for more information. As a result, after 7 days have elapsed
without a patch or advisory, we will support researchers making details
available so that users can take steps to protect themselves."
(Log in to post comments)
Google: Disclosure timeline for vulnerabilities under active attack Posted May 31, 2013 3:53 UTC (Fri) by jke (guest, #88998) [Link]
"Actively-exploited" means cat's out of the bag already. Might as well tell everyone so that at the very least users and admins can be on the look out. I don't see any need for 7 days of letting the bad guys go nuts.
I don't care about what it means for PR.
Google: Disclosure timeline for vulnerabilities under active attack Posted Jun 3, 2013 13:34 UTC (Mon) by k8to (subscriber, #15413) [Link]
Having worked inside various vendors and seeing how difficult it is to apply leverage to get the various corporate drones to do the right thing, I'm not really sure it makes sense to delay disclosure generally.
But certainly if something's being exploited, delaying disclosure is only protecting people's sense of convenience.
|
|||||||||||||