Google Blogoscoped

Forum

Google's security team's thoughts about responsible vulnerability disclosure

Juha-Matti Laurio [PersonRank 10]

Wednesday, July 28, 2010
13 years ago2,169 views

Link:

http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html

Philipp Lenssen [PersonRank 10]

13 years ago #

> Whilst every bug is unique, we would suggest that 60 days
> is a reasonable upper bound for a genuinely critical issue
> in widely deployed software.

Hmm, I think what's important is to take up the *communication* with whoever submitted the bug. An auto-reply won't suffice, but if someone tells me "we're actively working on a fix and will let you know soon, please don't publish this yet" it's quite something different. If no response at all is given, I usually considered around 30 days to be the default for revealing full details (though one can, in certain cases, immediately reveal the consequences and appearance of the bug to end users, if no manual is given to recreate the issue).

Google has often not reacted very well to being alerted to security issues. Sometimes, they didn't write back, at other times they didn't consider the issue an issue until that "full disclosure" was published. (At other times, they did reply though and fix issues.)

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!