UPDATED 08:45 EDT / MAY 31 2013

NEWS

Google Gives Companies Just Seven Days to Fix Security Exploits

Being the all-powerful internet behemoth that it is, Google is often the first to stumble across security risks and vulnerabilities in other companies’ systems. When it does so, it tries to help, making them aware of the problem and giving them a 60 day grace period to sort things out. As of today, however, that time-frame has been reduced to just seven days.

Google explained its reasoning in a blog post yesterday, saying that it’s become increasingly worried that the 60 day grace period is far too generous, and as a result some companies seem to take their time fixing things. So in order to encourage these firms to step things up, security teams will be given a maximum of one week to sort it out – otherwise Google goes public to let people know about the risk.

Google engineers Chris Evans and Drew Hintz say that the change of policy will help people to protect themselves better:

“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations. As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.”

Google added that its biggest concern was targeted attacks on specific individuals, rather than broader attacks:

“Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world.”

The move will likely have its proponents and its critics. On one hand, it’s good that someone is pressuring the more ‘lax’ companies to work at full speed and secure their software as soon as possible. On the other hand, there is the danger that this could backfire. Many exploits require a lot of work to fix, and sometimes seven days just isn’t enough. By going public before the vulnerability has been patched, Google would be alerting hackers while it’s still there. This would also put those machines that fail to install the patch at risk.

The flip side is that plenty of hackers have exploited vulnerabilities in the past simply because companies have been too slow to fix them. A recent example was when a hacker going by the name of ViruS_HimA submitted a bug to Adobe. When the company failed to fix the flaw in a reasonable amount of time, ViruS_HimA decided to show them up instead, hacking Adobe himself and releasing over 150,000 emails and passwords of Adobe’s customers, employees and partners.


A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.