If you follow info-security news, you might have heard about Google considering a change in its vulnerability disclosure policy. Here is a link to their blog. Until now, when Google came across a new vulnerability of software from some vendor, it notified them and then posted the details only after 60 days. That is, the software vendor had a grace period of two months to investigate the issue and release a patch. With the new policy, Google will disclose the details in 7 days if the issue is already “under active exploitation”. Not yet confirmed by the software behemoth, it does signal a significant change. If Google has notified you of a vulnerability in a product you own, you have only one week, yes only one week, to get it investigated and patched or you’ll be in a very unpleasant situation: The details of your weakness will be up in the public while your customers are not going to have a patch to install and get protected. They are not likely to be very happy… You’d have to move fast, actually very fast, to avoid this undesired situation.
Regardless who you are and what your job is, a worker in the hi-tech industry, an IT security administrator, a journalist or one of many other positions, you may likely think that this is a great move by Google. If the issue is being exploited out there, it means that the bad guys already have the exact information how to leverage it for their needs and customers are at great risk of being targeted with limited ability to defend their systems. This rationale makes a lot of sense. But is it all that simple? Let’s think about it a little further.