Google Gives Companies Just Seven Days to Fix Security Exploits

Google Gives Companies Just Seven Days to Fix Security Exploits

Being the all-powerful internet behemoth that it is, Google is often the first to stumble across security risks and vulnerabilities in other companies’ systems. When it does so, it tries to help, making them aware of the problem and giving them a 60 day grace period to sort things out. As of today, however, that time-frame has been reduced to just seven days.

Google explained its reasoning in a blog post yesterday, saying that it’s become increasingly worried that the 60 day grace period is far too generous, and as a result some companies seem to take their time fixing things. So in order to encourage these firms to step things up, security teams will be given a maximum of one week to sort it out – otherwise Google goes public to let people know about the risk.

Google engineers Chris Evans and Drew Hintz say that the change of policy will help people to protect themselves better:

“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations. As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.”

Google added that its biggest concern was targeted attacks on specific individuals, rather than broader attacks:

“Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world.”

The move will likely have its proponents and its critics. On one hand, it’s good that someone is pressuring the more ‘lax’ companies to work at full speed and secure their software as soon as possible. On the other hand, there is the danger that this could backfire. Many exploits require a lot of work to fix, and sometimes seven days just isn’t enough. By going public before the vulnerability has been patched, Google would be alerting hackers while it’s still there. This would also put those machines that fail to install the patch at risk.

RELATED:  Google teams with to donate $1 for every Android Pay transaction

The flip side is that plenty of hackers have exploited vulnerabilities in the past simply because companies have been too slow to fix them. A recent example was when a hacker going by the name of ViruS_HimA submitted a bug to Adobe. When the company failed to fix the flaw in a reasonable amount of time, ViruS_HimA decided to show them up instead, hacking Adobe himself and releasing over 150,000 emails and passwords of Adobe’s customers, employees and partners.

Mike Wheatley

Mike Wheatley is a senior staff writer at SiliconANGLE. He loves to write about Big Data and the Internet of Things, and explore how these technologies are evolving and helping businesses to become more agile.

Before joining SiliconANGLE, Mike was an editor at Argophilia Travel News, an occassional contributer to The Epoch Times, and has also dabbled in SEO and social media marketing. He usually bases himself in Bangkok, Thailand, though he can often be found roaming through the jungles or chilling on a beach.

Got a news story or tip? Email


Join our mailing list to receive the latest news and updates from our team.

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Share This

Share This

Share this post with your friends!