Is 7 Days Enough for Responsible Disclosure?
Page 1 of 1
The debate about when is the right time to responsibly disclose a vulnerability is as old as the Information Security business itself.
This past week, Google provided fresh fuel for the fire by announcinga new seven day disclosure policy for critical vulnerabilities that are under active exploitation.
Is seven days the right number ?
The open source Metasploit project has become a key way for both hackers and researchers to learn more about vulnerabilities. Tod Beardsley, Metasploit engineering manager at Rapid7, told eSecurity Planet that as an open data zealot, he's happy Google is committing to a seven-day maximum for providing details on actively exploited, unpatched vulnerabilities.
"Once an exploit is on the Internet, the cat is pretty much out of the bag, and rebagging cats is difficult, painful, and largely pointless," Beardsley said. "It's heartening to see an Internet giant like Google sticking to a very reasonable disclosure policy like this."