Google oftentimes finds vulnerabilities in other companies’ systems. When those vulnerabilities are critical, the company used to give you a 60 day grace period. That’s been knocked down to seven days as of today.
The company released a blog post today explaining that while it typically gives companies a 60 grace period to work on vulnerabilities, it is worried the time frames in which more critical vulnerabilities are closed up. In the case of these critical issues, Google says it will alert the affected company and then give its security team seven days to fix the problem. Google plans to give itself the same treatment.
“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations,” said Google security engineers Chris Evans and Drew Hintz in the blog post. “As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.”
Google explained that it is almost more concerned with attacks that are targeted than they are with broader-scale attacks. It used the example of political activists and the repercussions of their identities, locations, and other personal information being leaked.
Of course, while the idea is to make sure that companies are working at full-speed to secure their software, there’s always the chance that a vulnerability might be complex and take more than seven days to patch. In this case, if the information is already out there, hackers can begin exploiting the vulnerability while it’s still live — and on any machines that don’t install the patch once it’s released.
Some hackers, however, have exploited vulnerabilities simply because the company was too slow in shutting them down. In November 2012, a hacker known as Hima hacked into Adobe’s systems because, he said, it takes Adobe too much time to shut down reported bugs. Adobe explained, however, that Hima never actually submitted a bug. The hacker released 150,000 email address and passwords associated with Adobe employees, customers, and partners.