Google will release details of any zero-day flaws it finds in software, if the affected vendor fails to issue a patch or disclose the issue itself within a week.
Now, Google is shortening that timeline a good bit to just 7 days. “Based on our experience...we believe that more urgent action within 7 days is appropriate for critical vulnerabilities under active exploitation”, wrote Google Security engineers Chris Evans and Drew Hintz in a blog post. “The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Right now, companies use either responsible disclosure or full disclosure when dealing with vulnerabilities. Responsible disclosure allows a company as much time as they want to patch an exploit, and the details surrounding the bug aren't revealed to the public until a patch is issued. Full disclosure, on the other hand, means the company and the public are given information about the flaw at the same time.
Many zero-day vulnerabilities are used against specific groups of individuals in targeted attacks that are often more serious than broader ones, the Google security engineers said.
However, Google realizes that seven days is not enough time to patch all vulnerabilities. Even if a company can't address the bug in seven days, the researchers could still publish the details of the software flaw after a week so that the public can protect itself.
Large software vendors like Microsoft, Adobe and Oracle, whose products are a frequent target of zero-day attacks, have experience in dealing with such incidents and have processes in place that allow them to respond in a timely manner most of the time. However, smaller vendors might be less prepared to deal with zero-day vulnerabilities and alert their customers.
Earlier this month, Google security engineer Tavis Ormandy exposed a Microsoft flaw on Full Disclosure. The Microsoft vulnerability, which was in the Windows kernel driver Win32k.sys, was featured in a Full Disclosure mailing list on May 17. Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)."
The same deadline will apply to those bug hunters who discover vulnerabilities in Google products too, they said.