Google Sets New Aggressive 7-Day Deadline For Vendors To Reveal Or Fix Zero-Day Bugs Under Attack

New policy narrows window for software vendors public response to zero-day bugs discovered by Google researchers

Google today put the squeeze on software vendors with a new policy for vulnerability disclosure that allows its researchers to provide details on zero-day bugs they find within seven days if the affected vendor hasnt provided an advisory or a patch.
Chris Evans and Drew Hintz, security engineers with Google, made the announcement in a blog post, noting that Googles researchers recently discovered attacks using a zero-day in another unnamed vendors software. We recently discovered that attackers are actively targeting a previously unknown and unpatched vulnerability in software belonging to another company. This isn’t an isolated incident -- on a semi-regular basis, Google security researchers uncover real-world exploitation of publicly unknown (“zero-day”) vulnerabilities. We always report these cases to the affected vendor immediately, and we work closely with them to drive the issue to resolution, the Googlers said in their post.
Vulnerability disclosure long has been a hot button topic, with Google over the past few years pushing hard on vendors to more quickly warn users and fix new flaws, and software giant Microsoft standing by its policy that vulnerability fixes
should not be assigned deadlines
. Microsoft contends that patching is a delicate balance between quality and timeliness that cant be put on a specific deadline.
But Google is now dramatically narrowing the patch window for the most dangerous zero-day bugs it discovers and get used in attacks in the wild.
Our standing recommendation is that companies should fix critical vulnerabilities within 60 days -- or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation, the Google researchers say. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.
They acknowledge that a one-week turnaround is tight and may not work for some vendors. And Google itself will follow the same timeline in fixing its own bugs, they say.
Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information, they say. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management.
Google security engineers in 2010
called it irresponsible for a software bug to remain unfixed over long periods of time
-- sometimes years. They announced back then that they would set disclosure deadlines for serious bugs they found, and if the affected vendor didnt fix the bug by that date, Google would publish an analysis of it and any workarounds.
Today the engineers say its becoming even more urgent to fix bad bugs faster. Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world, the said in their
post
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google Sets New Aggressive 7-Day Deadline For Vendors To Reveal Or Fix Zero-Day Bugs Under Attack