Google researchers have announced a significantly shortened vendor response deadline that they hope others will adopt to spur quicker fixes.
Three years ago a group of Google engineers proposed that vendors should have 60 days to repair security vulnerabilities rated ‘critical' in widely deployed software – or the researchers who privately tipped them off about the issue could go public with their findings.
However this week, Google engineers Chris Evans and Drew Hintz wrote on the company's Online Security blog that seven days is more appropriate for critical vulnerabilities under active exploitation.
“The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” they said.
While the researchers conceded that a seven-day deadline may be too short for software makers to push out a permanent patch, they did say that it should provide enough time for them to offer tips on mitigating the threat.
“As a result, after seven days elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves,” the post said.
“By holding ourselves to the same standard, we hope to improve the state of web security and the coordination of vulnerability management.”