Two security engineers for Google say the company will now support researchers publicizing details of critical vulnerabilities under active exploitation just seven days after they’ve alerted a company.
That new grace period leaves vendors dramatically less time to create and test a patch than the previously recommended 60-day disclosure deadline for the most serious security flaws.
The goal, write Chris Evans and Drew Hintz, is to prompt vendors to more quickly seal, or at least publicly react to, critical vulnerabilities and reduce the number of attacks that proliferate because of unprotected software.
Vendors have long been criticized for using responsible disclosure to their advantage to delay issuing a fix as long as possible, sometimes even years. Only once a patch is issued does a researcher reveal details of the software flaw. Under the concept of full disclosure, both the company and the public are given details at the same time.
The 60-day notice was announced almost three years ago by a Google security team, which included Evans, as a compromise between full and responsible disclosures for critical vulnerabilities, particularly those that require complex coding to fix. But the regular appearance of zero-day exploits targeting unpatched software has prompted Google to reconsider that timeline.
“Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds,” the two said in a blog post today. “We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action — within seven days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Anticipating pushback, the pair acknowledge a week’s notice is unrealistic in some instances. But, they believe, it provides enough time for a company to provide mitigations — such as temporarily disabling a service or restricting access — to reduce the risks of further exploits in the wild.
“As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves,” they wrote.
The same deadline will apply to those bughunters who discover vulnerabilities in Google products too, they said.
“By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management.”