A pair of Google engineers have cited a recent slew of unannounced zero-day vulnerabilities in unnamed software vendors' products as proof that companies' current responsible disclosure policies are obsolete and should be reduced to just seven days.
Google security engineers Chris Evans and Drew Hintz reported uncovering the vulnerabilities in a public blog post on Thursday, and called for firms to take a more proactive approach to threat disclosures. "We recently discovered that attackers are actively targeting a previously unknown and unpatched vulnerability in software belonging to another company. This isn't an isolated incident; on a semi-regular basis, Google security researchers uncover real-world exploitation of publicly unknown zero-day vulnerabilities," wrote the researchers.
The engineers said while it would be unrealistic to expect companies to be able to fix the vulnerabilities within a week of discovery, it is more than enough time to responsibly report them. "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," they wrote.
"As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the co-ordination of vulnerability management."
The upgraded announcement cycle would be a marked increase on Google's current 60-day responsible disclosure recommendation, which was implemented by the search giant three years ago. Evans and Hintz said the hastened time frame is an essential measure businesses must take if they hope to protect themselves and their customers from the increased cyber threat facing them. "Over the years, we've reported dozens of actively exploited zero-day vulnerabilities to affected vendors, including XML parsing vulnerabilities, universal cross-site scripting bugs, and targeted web application attacks," they wrote.
"Often, we find that zero-day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more urgent to resolve quickly. Political activists are frequent targets, and the consequences of being compromised can have real safety implications in parts of the world."
Google is one of many technology companies to call for businesses to be more proactive in combating and disclosing cyber threats. Microsoft recently loaded its anti-botnet security intelligence systems into Windows Azure, to help businesses spot threats more quickly. The UK government has also implemented new measures designed to let firms spot and disclose threats more quickly, launching the Cyber Security Information Sharing Partnership earlier this year.
Microsoft receives a 30 per cent cut of all purchases on the Xbox digital store
Credit card thieves used Apple ID accounts to buy and sell virtual currency for Clash of Clans and Clash Royale and Marvel Contest of Champions
$5.1bn fine further evidence that the EU is anti-US, claims Trump
New cable will connect Virginia to France