top | item 19298648

(no title)

Literally the second sentence: "Its members locate flaws in software, privately report them to the manufacturers, and give them 90 days to resolve the problem before publicly disclosing it."

Privately disclosed to Apple, 90 days later they published. Simple as that.

discuss

rixrax|7 years ago

I used to think that 90 days is quite unfair. And in many ways it can be. But it’s a great equalizer. And that way no one company can claim that some other company got preferential treatment. And everyone by now knows that that’s what it’s going to be. Instead of p0 team having to have a fruitless back and forth with vendors about the impact and what would be a reasonable timeline for disclosure.

rat9988|7 years ago

90 days is equality but not equity. Not all bugs can be fixed in the same way. Moreover, 90 days seems arbitrary to me, unless there was some prior study behind this number.

zepto|7 years ago

Preferential treatment is irrelevant. If harm is done due to the public disclosure, Google is the cause.

dontbenebby|7 years ago

>Privately disclosed to Apple, 90 days later they published. Simple as that.

Some bugs may take longer than that to fix. I still don't think it's an unreasonable question to ask.

monocasa|7 years ago

The standard time frame is 45 days.

https://ics-cert.us-cert.gov/ICS-CERT-Vulnerability-Disclosu...

Google is being more than generous, doubling to 90 days.

DoofusOfDeath|7 years ago

I assume the GP was asking if the 90 day rule was really important to uphold, or if the disclosure could just be delayed longer until the patch went out.

ox_cable|7 years ago

Well,expecting there to be a patch without the 90 day exploit exposure is very generous. The whole point of a 90-day (or any arbitrary stretch of time) deadline is that a lot of companies are funny when it comes to exploits. Security doesn't ever make a company money, it's a high cost that can only (at best) hope to prevent the company from having to make reparations after a breach, maybe lose a few customers. As such, many companies treat security reports with indifference and do nothing whatsoever about reported exploits until they're forced to. The only real way private researchers or security groups like Project Zero have to light a fire under the company concerning the exploit is to release the exploit to the public when it becomes clear that the company isn't going to fix the vulnerability on their own. At least now consumers are made aware of the exploit and can make an informed decision on a plan of action. 90 days, 180 days, a year... it doesn't matter because people would criticize the length of time no matter what it is.

kkarakk|7 years ago

the process is policy and is automated, no one gets extra time. afaik the clock starts from when they get the first reply from the company