The search giant has recently announced that it will support security researchers publicizing details of critical flaws under active exploitation after a week. In other words, if a security expert finds vulnerability, the company will have only 7 days to fix it before the researcher makes it public. If this practice is adopted widely, the vendors will have less time to create and test a patch than the previously recommended 2-month disclosure deadline. Google developers pointed out that their aim is to prompt the vendors to more quickly fix critical flaws and thus reduce the number of attacks, because those proliferate due to unprotected software.
This change would mean an end to the days of software developers using responsible disclosure to delay issuing a fix for years. The matter is that a researcher reveals details of the software vulnerability only after a patch is issued. According to the concept of full disclosure, both the company and the public are provided with details simultaneously.
It was Google who broke ground on the problem by issuing the 60-day notice about 3 years ago. This was regarded as a compromise between full and responsible disclosures for critical flaws, especially those which required complex coding to fix. But today there are zero-day exploits which target unpatched software, and this is why the search giant has decided that things should be sped up. The current recommendation is that the developers have to fix critical vulnerabilities within 2 months. In case they can’t issue a patch, a vendor should notify the public about the risk and offer workarounds. However, Google’s experience shows that more urgent action, within one week, is appropriate for critical flaws under active exploitation. Although in some cases a 7-days notice is unrealistic, the search engine believes that it provides enough time for a developer to provide mitigations — for example, temporarily disabling a service or restricting access to it, in order to reduce the risks of further exploits in the wild. The company pointed out that the same deadline will apply to the bughunters who discover flaws in Google products as well.