Google wants software vendors to respond to vulnerabilities within 7 days
Vendors should issue fixes or at least mitigation advice for zero-day flaws within a seven-day time frame, Google security engineers say
IDG News Service - Google wants vendors to fix or offer mitigation advice for previously unknown and actively exploited software vulnerabilities within seven days of their discovery.
"After 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves," Google security engineers Chris Evans and Drew Hintz said Wednesday in a blog post.
In 2010, Google researchers proposed a public disclosure deadline of 60 days for critical vulnerabilities and said that vendors should release a patch or mitigation information for them within that time frame.
"Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation," the Google security engineers said. "The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised."
Over the years, Google security researchers have found dozens of cases where attackers were actively targeting publicly unknown, or "zero-day," vulnerabilities in software from third-party vendors, Evans and Hintz said. "We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution," they said.
Many zero-day vulnerabilities are used against specific groups of individuals in targeted attacks that are often more serious than broader ones, the Google security engineers said. For example, political activists from certain parts of the world are frequently targeted and the compromise of their computers can have real implications for their personal safety, they said.
"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," Evans and Hintz said.
Google expects to be held to the same standard and hopes that this new recommended time frame for zero-day vulnerability response will improve the coordination of vulnerability management and the overall state of security on the Web.
Carsten Eiram, the chief research officer at security firm Risk Based Security, agrees that making information about zero-day vulnerabilities known to users is important. "Each day an 0-day [vulnerability] is left undisclosed, systems are at a greater risk," he said Thursday via email. "Google providing other vendors with 7 days to respond by either publishing an announcement or a fix is very reasonable; they should not provide more."
Google has a fairly large security research team whose members are often credited by third-party vendors, including large ones like Adobe and Microsoft, with discovering vulnerabilities in their products.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts