How quickly should software developers respond with a patch or mitigation advice when a security researcher informs them of a zero-day vulnerability? In 2010, Google said 60 days was soon enough, but now the company has issued a call for faster responses.
“Based on our experience, however, we believe that more urgent action — within 7 days — is appropriate for critical vulnerabilities under active exploitation,” wrote Google’s Chris Evans and Drew Hintz. “The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Google said that it expects its developers to be held to the same standard.
