

Disclosure timeline for vulnerabilities under active attack - rubinelli
http://googleonlinesecurity.blogspot.com/2013/05/disclosure-timeline-for-vulnerabilities.html

======
tokenadult
It would be best (per the HN guidelines) to title this submission with the
original article title, "Disclosure timeline for vulnerabilities under active
attack." That's a more neutral spin than the headline "Google: 7 days advance
notice is enough for actively exploited vulnerability" originally submitted
here.

~~~
tnorthcutt
I posted this yesterday with the original article title, but linked to the
.com version of the post, not the .com.br version:
<https://news.ycombinator.com/item?id=5789736>

~~~
lsaferite
They really should merge duplicate submissions under the first submission in
these cases.

------
joshdance
More aggressive reporting and patching I support.

On a side note, I have a hard time taking any blog at a .blogspot.com domain
seriously. Don't know why.

~~~
moonboots
Using different domains reduces attack surface area [1]. That said, I agree
that the blogspot domain and site design look amateurish.

[1] <https://github.com/blog/1466-yummy-cookies-across-domains>

~~~
tonfa
It's a policy issue:

> If we receive a removal request that violates local law, that content may no
> longer be available to readers on local domains where those laws apply.

<https://support.google.com/blogger/answer/2402711?hl=en>

------
mixedbit
I would even say that full disclosure should be standard in such cases. If
vulnerability is already exploited, some bad guys already know about it.
Keeping it secret, even for a short time, gives these bad guys advantage and
hurts users that can not take any extra precautions until the vulnerability is
disclosed.

~~~
gojomo
Not sure that follows, since 'bad guys' aren't monolithic.

It may still be less damaging for only 'some' bad guys to be using the
vulnerability, and continue to think that only they know it. (Thus, they use
it sparingly). Immediate full disclosure means 'all' bad guys learn of the
vulnerability, and then perhaps rush to maximally exploit (knowing they're in
a race to use ASAP or lose their chance).

------
bthomas
7 days is a fine maximum, but not necessarily a target. A malicious 3rd party
script should be removed in an hour.

Are there any independent groups that rate a firm's response to an exploit?
Other than HN comments and (rare) legal recourse, I don't know what pressure a
YC startup faces to do a good job in a holistic sense. It'd be nice if a
respected 3rd party were around to shame sites if necessary.

------
thomasvendetta
I wonder if this has anything to do with the 3rd party software used to
compromise drupal.org?

------
guelo
How would they know that a zero-day that they discover is being actively
exploited?

~~~
interurban
They have examples of malware that use that exploit?

~~~
gojomo
...perhaps gathered from honeypots or spear-phishing observed in gmail.

------
benmmurphy
what vendor are they referring to? was this related to Tavis Ormandy's
trolling of microsoft.

------
bribriinlondon2
Security?

