Changes include naming affected party and product after a week.
Google’s recent change to its vulnerability disclosure process has pros and cons, states Bruce Schneier.
In a post from late July, Google’s Project Zero team said its core 90-day disclosure deadline will remain in effect, but within approximately one week of reporting a vulnerability to a vendor, it will publicly share that a vulnerability was discovered. This will include naming that the vendor or open-source project that received the report, which product is affected, the date the report was filed, and when the 90-day disclosure deadline expires.
In a blog, Schneier says he has mixed feelings about this: on the one hand, it puts more pressure on vendors to patch quickly, but on the other hand, if no indication is provided regarding how severe a vulnerability is, it could easily cause unnecessary panic.
“The problem is that Google is not a neutral vulnerability hunting party,” he says. “To the extent that it finds, publishes, and reduces confidence in competitors’ products, Google benefits as a company.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
