Google gives vendors 60 days to fix critical flaws

Google has called for software makers to adopt a 60-day deadline for patching critical flaws, warning that it will disclose the bugs if they are not fixed in time.

In a blog post on Tuesday, the company's security team described changes to its "rules of engagement" with software vendors over how and when it will report vulnerabilities to vendors. The team argued that it is not always in the best interests of end-users for researchers to follow a policy of "responsible disclosure". Under this policy, flaws are privately reported to vendors, and the researcher waits until the hole is patched before going public with details.

"We've seen an increase in vendors invoking the principles of 'responsible' disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers," the team wrote on the Google Online Security Blog.

One of the signatories of the post was Google employee Tavis Ormandy, who attracted criticism in June for not following Google's earlier guidelines on responsible disclosure. Ormandy reported a major security vulnerability in Windows XP to Microsoft, then five days later published an analysis of the flaw and proof-of-concept attack code on a security research mailing list.

The team said that vendors, as much as researchers, should act responsibly and deal with issues quickly. Given that, Google is moving to a position where security flaws will be first disclosed to vendors, but if fixes do not appear within the time limit, the flaws will be disclosed to the public, according to the post.

"Serious bugs should be fixed within a reasonable timescale. While every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software," the team said.

From now on, the team will place a deadline on every issue they report to software makers, with the timeframe matching the severity of the bug. They will then publish full analyses of vulnerabilities if vendors miss the deadlines. In addition, if hackers already know of the bug, the disclosure deadline will be "aggressive", Google's team said.

In related news, Google said in a post on Tuesday to its Chromium Blog that it has increased the maximum bounty it will pay to researchers who find a bug in its Chromium software to $3,133.70 (£2,060). The previous maximum payout was $500, a figure that had come under criticism from security researchers, who called the amount "ridiculous". The move comes a day after Mozilla bumped up its bounty for bug hunters to $3,000.