Google slaps 7 day deadline on companies to report security flaws

Google has announced that in future it will only be giving companies seven days to disclose zero-day vulnerabilities in software, after which time it will make the security glitches known publicly so that users can take appropriate steps to defend against them.

In a security policy update, Google decided to implement a new disclosure period of one week, stating that it believes more urgent action is needed in most of the cases its security engineers encounter.

Google recommends that companies fix critical vulnerabilities within 60 days, or at least provide workarounds, and it does not expect updates to vulnerable software within the new seven day period. However, it does call for companies to publish mitigation advice, such as temporarily disabling affected software.

The search giant has discovered and reported numerous zero-day vulnerabilities, including XML parsing glitches, universal cross-site scripting bugs, and targeted web application attacks.

It said that many of the security holes it encounters are targeted at a small number of people, but it believes these are the biggest threats, as they could be targeting political activists, whose lives are in danger.

Google will also hold itself to the new standard, attempting to rectify, or at least inform users about, newly-identified vulnerabilities within seven days.