Google Supports 7-Day Deadline For Critical Exploit Reports

Google security researchers learn about exploits and zero-day vulnerabilities in third-party software all the time, and for years the company has immediately notified the affected vendors about the issues, worked with them closely to fix the problems, and both notified the public within 60 days of discovering the vulnerabilities and also encouraged vendors to issue patches within that same time frame.

Now, Google is shortening that timeline a good bit--to just 7 days. “Based on our experience...we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation”, wrote Google Security engineers Chris Evans and Drew Hintz in a blog post. “The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”

Chris Evans
Google Security's Chris Evans (Image credit: Conference.Hitb.Nl)

That purview certainly makes sense; the team noted that a lot of zero-day vulnerabilities target smaller and more specific groups of people, making the situation all the more urgent. Of course, that’s not much time for a company to fix the vulnerability, but the Google guys seem to be making a point: No, it’s not much time, but these matters are urgent and need to be addressed immediately.

Even so, the security team acknowledges that 7 days is not enough time for vendors to create and push out a proper update, but they do believe that it’s plenty of time to issue customers warnings and advice on how to mitigate and avoid further damage via means such as possible migrations, temporary disabling of services, actively restricting access, and so on.

Essentially, instead of letting a problem quietly fester for weeks or even months before it’s ameliorated, Google is saying that immediate action is necessary, even if it’s just alerting the public to the fact that there is a problem.

To put it another way: in the past, fixing these vulnerabilities was like the fire department trying to put the fire out without telling anybody that the building was aflame; now, they’ll try and get everyone out and to safety first.