Google's Project Zero Updates Vulnerability Disclosure Rules To Add Patch Cushion (therecord.media) 9
The Google Project Zero security team has updated its vulnerability disclosure guidelines to add a cushion of 30 days to some security bug disclosures, so end-users have enough time to patch software and prevent attackers from weaponizing bugs. From a report: This week's changes are of particular importance because a large part of the cybersecurity community has adopted Project Zero's rules as the unofficial methodology for disclosing a security bug to software vendors and then to the general public. Prior to today, Google Project Zero researchers would give software vendors 90 days to fix a security bug. When the bug was patched, or at the end of the 90 days time window, Google researchers would publish details about the bug online (on their bug tracker). Starting this week, Project Zero says it will wait 30 days before publishing any details about the bug. The reasoning behind the extra time window is to allow users of the affected products time to update their software, an operation that can usually take days or weeks in some complex corporate networks.
nonsense (Score:1)
the attackers aren't going to wait, developers need fire lit under their butt. remember, every bug means they were incompetent and screwed up.
Re: (Score:2)
Uum, you clearly aren’t a programmer.
Humans aren't perfect robots. (And robots made by humans aren't either.)
I bet you're the one who'd screw up HelloWord.py and then go to the basement to smite himself.
Re: (Score:2)
uh, I do development.
There are not quite one dozen stupid mistakes done again and again that are responsible for 95 plus percent of security bugs.
You only spew your ignorance on the topic.
Re: (Score:2)
I wants to forget you already.
Fuck off.
Yeah, no ... (Score:2)
For every researcher reporting it to Google, there are ten thugs that aren't.
30 days does not prevent them form exploiting the bug.
30 days give *them* a cushion,
Re: (Score:2)
If there's a patch out there, people can apply it without having the details of the bug discussed. It has no effect on the attackers who already know about the bug, but it keeps copycats from developing.
Re: (Score:3)
This. We don't need every "OOOH! I W4NNA B3 A 1337 H4xx0R!!!" script kiddie attacking while we patch.
As was stated, the real thugs (nation state actors, major crime rings, etc...) already know. This is really to keep the kiddiez away, which is a good thing.