Google has made incredible strides in the world of Search Engines that many users around the world use the phrase “Just Google it”. Although Google is the leading search engine provider, it has also tried to provide its users with a variety of new services such as Google music, Google font directory, Google translate and many more. They are also very concerned in providing eminent, improved and secure services. Now recently it has proposed vulnerability disclosure deadlines to facilitate its users. Google has recommended a limit of sixty days from the time when the matter was reported.
Story behind the blind
Google Online Security Blog, members, expressed anxiety about purveyors who mistreatment the impression of conscientious disclosure. As an effect, a sensible disclosure time limit of 60 days since informing the suffered party is wished-for acceptance by security researchers.
“Responsible disclosure” vs. “full disclosure “has been subject of discussion for years and to inform vulnerabilities and which of them the superior approach is. If you’re related to security research you have to be on any one side of the cordon.
Researchers using full disclosure model are in the habit to disclose the vulnerability details to public as rapidly as they are discovered. It has a positive impact for end users because the vendors have to act without more ado and issue patches.
Responsible disclosure model allows the security researchers to communicate vulnerability details privately to the vendors. In this way both the parties i.e. security researchers and vendors can do work in the best interest of the end users. It is observed that using responsible disclosure model prevent most of the cyber criminals from leveraging the mistake to assail people.
But Google’s Security Team claims. “We’ve seen an increase in vendors invoking the principles of ‘responsible’ disclosure to delay fixing vulnerabilities indefinitely, sometimes for years; in that timeframe, these flaws are often rediscovered and used by rogue parties using the same tools and methodologies used by ethical researchers,”. So to avoid this type of incident the dead line of sixty days is suggested.
This dead line should not be fixed of course it must be flexible. The Google team should deicide about the deadline according to the case. In some cases where hackers are also aware of the bug it should be more aggressive and in a case in which it is clear that it cannot be done in sixty days it should be extended.
At last Google’s senior security researcher’s team expressed, “We would invite other researchers to join us in using the proposed disclosure deadlines to drive faster security response efforts. In our opinion, this small tweak to the rules of engagement will result in greater overall safety for users of the Internet.”