Google gives 60-day deadline for bug disclosure

Google has called for software makers to adopt a 60-day deadline for patching critical flaws, warning that it will disclose the bugs if they are not fixed in time.

In a blog post on Tuesday, the team argued that it is not always in the best interests of end-users for researchers to follow a policy of "responsible disclosure". Under this policy, flaws are privately reported to vendors, and the researcher waits until the hole is patched before going public with details."We've seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," the team wrote on the Google Online Security Blog.

One of the signatories of the post was Google employee Tavis Ormandy, who attracted criticism in June for not following Google's earlier guidelines on responsible disclosure. Ormandy reported a major security vulnerability in Windows XP to Microsoft, then five days later published an analysis of the flaw and proof-of-concept attack code on a security research mailing list.

For more on this story, read Google gives vendors 60 days to fix critical flaws on ZDNet UK.