Being the all-powerful internet behemoth that it is, Google is often the first to stumble across security risks and vulnerabilities in other companies’ systems. When it does so, it tries to help, making them aware of the problem and giving them a 60 day grace period to sort things out. As of today, however, that time-frame has been reduced to just seven days.
Google explained its reasoning in a blog post yesterday, saying that it’s become increasingly worried that the 60 day grace period is far too generous, and as a result some companies seem to take their time fixing things. So in order to encourage these firms to step things up, security teams will be given a maximum of one week to sort it out – otherwise Google goes public to let people know about the risk.
Google engineers Chris Evans and Drew Hintz say that the change of policy will help people to protect themselves better:
“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations. As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.”
Google added that its biggest concern was targeted attacks on specific individuals, rather than broader attacks:
“Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world.”
The move will likely have its proponents and its critics. On one hand, it’s good that someone is pressuring the more ‘lax’ companies to work at full speed and secure their software as soon as possible. On the other hand, there is the danger that this could backfire. Many exploits require a lot of work to fix, and sometimes seven days just isn’t enough. By going public before the vulnerability has been patched, Google would be alerting hackers while it’s still there. This would also put those machines that fail to install the patch at risk.
The flip side is that plenty of hackers have exploited vulnerabilities in the past simply because companies have been too slow to fix them. A recent example was when a hacker going by the name of ViruS_HimA submitted a bug to Adobe. When the company failed to fix the flaw in a reasonable amount of time, ViruS_HimA decided to show them up instead, hacking Adobe himself and releasing over 150,000 emails and passwords of Adobe’s customers, employees and partners.