Re: Always a good thing
I always thought it was a balancing act that Google always got wrong.
Their 90 day deadline was all too strict, let alone the early notification if the patch was released early. There were several times where the 90 days couldn't be held to, because the normal patch cycle was on day 92 - 100, but Google still released the details, including full exploit code on day 90.
Even if the release on day 90 occurs, the users still have to patch. The bad guys could investigate the patch and try and work out what had been fixed, but with Google, they had a head start, because the exploit wasn't only explained, a useful proof of concept was handed to them on a plate.
I was always for Google informing the public about the need to patch as soon as the patch was released, but that they should hold off on the deep details and the PoC code until users had had a chance to patch their software. E.g. release an overview of the security problem on day 90, wait a week or 2 for users to patch, then release the PoC and details of the exploit.
The problem is, whilst this is the responsible way to do things, it isn't as headline grabbing as dumping the full details on day one. By day 10, when the details would be released, people have already become bored with the topic and have moved onto something new.