top | item 44725848

(no title)

eyalitki | 7 months ago

Not sure what is the measurable metric here, and what will be considered a success in this trial period.

Propagating the fix downstream depends on the release cycles of all downward vendors. Giving them a heads up will help planning, but I doubt it will significantly impact the patching timeline.

It is highly more likely that companies will get stressed that the public knows they have a vulnerability, while they are still working to fix it. The pressure from these companies will probably shut this policy change down.

Also, will this policy apply also to Google's own products?

discuss

zamadatix|7 months ago

The measure would probably be whether any of the reports led to examples of downstreams either syncing prior to release via security sharing they didn't already have established or any projects preparing to sync out of normal schedule ahead of time, regardless of if that's a small or large magnitude of change. How companies would prefer the public hear about a vulnerability has always been the lowest concern out of disclosures so I don't expect it to bring anything new here.

Google's products represent 3/6 of the initial vulnerabilities following this new reporting policy in the linked reporting page.