Google fires back on vulnerability reports

Google was wrongly accused of failing to patch vulnerabilities

Google has voiced sharp criticism of vulnerability database services in the wake of a report from IBM's X-Force which accused the search firm of leaving 33 per cent of its reported flaws unpatched.

Adam Mein, of Google's security team, said in a blog post that the process of collecting and producing reports on security vulnerabilities generates data that is "commonly outdated or inaccurate to some degree".

"To make these databases more useful for the industry and less likely to spread misinformation, we feel there must be more frequent collaboration between vendors and compilers," he said.

"As a first step, database compilers should reach out to vendors they plan to cover in order to devise a sustainable solution for both parties that will allow for a more consistent flow of information."

Mein claimed that the issue is due to a mistake in the classification of one of the three high-risk error reports Google had seen. Following the correction, the company's percentage of unpatched flaws went from 33 to zero.

X-Force manager Tom Cross acknowledged the corrections, and urged developers to get in contact with the company regarding any errors or inaccuracies in its vulnerability database.

"This sort of input is crucial for us. With more input from software vendors about vulnerability information we get greater accuracy in our snapshot of the industry," he wrote in a blog post.