The Verge spotted a controversial post on Google’s Online Security Blog in which the company says it will now publish security vulnerabilities discovered by its security researchers after just seven days rather than the existing sixty.
The policy affects what Google terms “critical vulnerabilities under active exploitation” – in other words, weaknesses that can do Bad Stuff to users and which are already being used by attackers …
Our standing recommendation is that companies should fix critical vulnerabilities within 60 days — or, if a fix is not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action — within 7 days — is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.
The issue is controversial because it involves balancing risks. If people don’t know they are at risk, they can do nothing to protect themselves against an issue. On the other hand, once Google makes the exploit public knowledge, other bad guys can start using the same technique for their own attacks.
Google clearly feels that the balance of risk favours disclosure. Others, like Sophos blogger Graham Cluley, disagree, commenting on an earlier example of Google publicising a Windows XP vulnerability within a week:
In my opinion publishing exploit code was utterly irresponsible behaviour, and I was worried that having such information floating around the internet would make it easy for cybercriminals to take advantage.
Predictably enough, malicious hackers are now using the zero-day vulnerability according to a blog post by my colleague Donato Ferrante in SophosLabs, as a compromised website has been found that uses the exploit to drop a Trojan horse onto unsuspecting users’ computers.
Clearly both arguments have merit, and it will be interesting to see whether a consensus develops for or against the move.