Friday, May 31, 2013

Google: Disclosure timeline for zero-day vulnerabilities

Google has identified a firm deadline for disclosing zero-day vulnerabilities

Google has introduced rules for the disclosure of information about new vulnerabilities, analyzed by security Google.

 To correct actively exploited "zero-day" vulnerabilities manufacturers now has 7 days, after which all of the available information will be published in the public domain. The changes apply only to "zero-day" problems that are already being used to commit attacks, but fixes are not yet available.

For many producers, seven days is too short a period for preparation and distribution of updates. For example, the elimination of critical security issues that do not fall under the category of "zero-day", recommended to be made within 60 days.

Nevertheless, in the case of already exploited "zero-day" problems such frameworks are unacceptable and if the manufacturer is not able to quickly release an update, you need to give users the ability to take action to protect their systems, disable the service or restrict access to it. Also, does not even release an update manufacturer can provide advice on a roundabout path protection or provide a temporary solution to the problem.

No comments:

Post a Comment