Google’s security researchers are well known for uncovering vulnerabilities in other people's products. Standard operating procedure is to give the affected company sixty days before publishing the problem, keeping things under wraps until a fix can be shipped out. But when it comes to critical vulnerabilities that are actively being exploited, Google wants its researchers to cut that down to just a week. A post on its Online Security Blog explains the reasoning behind the seven-day guideline: "each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised."
The change in policy comes two weeks after Google engineer Tavis Ormandy disclosed a publicly unknown vulnerability ("zero day") in Windows 7 and Windows 8. Ormandy made the announcement just five days after informing Microsoft of the bug, bemoaning the company’s security team as "difficult to work with." And while Google finds vulnerabilities in various companies' products, Redmond is a frequent target. In Microsoft's huge "Patch Tuesday" bugfix in February, Google researchers uncovered more than half of the reported flaws.
The company says it's holding itself to the same standard
So is Google in the right? The company argues that speedy disclosure is important for a bug that's actively being exploited, and that even if it’s not enough time for the affected vendor to patch its software, it should be long enough to tell users about workarounds that mitigate the problem. Others disagree, arguing that the benefits are outweighed by the likelihood that publicizing vulnerabilities puts hacking tools in the hands of malicious users. Google is still recommending the normal 60 days for vulnerabilities that are non-critical or aren’t being actively exploited, and the company says it’s holding itself to the same standard, but we doubt everyone is going to take too kindly to the revamped schedule.