Three years ago, a group of Google engineers proposed that vendors should have 60 days to repair security vulnerabilities rated "critical" in widely deployed software – or the researchers who privately tipped them off about the issue can go public with their findings.
At the time, the authors of the blog post suggested that this two-month window considerably must shrink if the issue is being actively exploited against actual targets. On Wednesday, Google researchers announced a significantly shortened vendor response deadline that they hope others will adopt to spur quicker fixes.
"[W]e believe that more urgent action – within seven days – is appropriate for critical vulnerabilities under active exploitation," wrote Google engineers Chris Evans and Drew Hintz on Wednesday on the company's Online Security Blog. "The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised."
The researchers conceded that a seven-day deadline may be too short for software makers to push out a permanent patch, but they said it should provide enough time for them to offer tips on mitigating the threat.
"As a result, after seven days elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves," according to the post. "By holding ourselves to the same standard, we hope to improve the state of web security and the coordination of vulnerability management."
Evans and Hintz proposed the new time frame as worries grow over targeted attacks for which there is no patch, known as a zero-day, going after a "limited subset of people," they wrote.
Oftentimes, an issue that is discovered by a so-called white-hat hacker may already be known by more nefarious individuals who have the intention to leverage the bug in a malicious manner.
Last fall, Leyla Bilge and Tudor Dumitras of Symantec Research Labs conducted a study (PDF) of zero-day attacks in the wild and determined that their prevalence is more common that previously thought.
The researchers found that 0-day attacks lasted about 10 months on average before being discovered. Through data retrieved from some 11 million computers running Symantec anti-virus software, researchers studied 18 zero-day cases that occurred between 2008 and 2010. They found that the majority of these attacks, 11, involved vulnerabilities that had never before been publicly known.
Google may have some of the strictest guidance around vulnerability reporting, but other major IT vendors, including Microsoft, also have chimed in on the disclosure debate.