Reply to post: Re: Always a good thing

Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea

big_D Silver badge

Re: Always a good thing

I always thought it was a balancing act that Google always got wrong.

Their 90 day deadline was all too strict, let alone the early notification if the patch was released early. There were several times where the 90 days couldn't be held to, because the normal patch cycle was on day 92 - 100, but Google still released the details, including full exploit code on day 90.

Even if the release on day 90 occurs, the users still have to patch. The bad guys could investigate the patch and try and work out what had been fixed, but with Google, they had a head start, because the exploit wasn't only explained, a useful proof of concept was handed to them on a plate.

I was always for Google informing the public about the need to patch as soon as the patch was released, but that they should hold off on the deep details and the PoC code until users had had a chance to patch their software. E.g. release an overview of the security problem on day 90, wait a week or 2 for users to patch, then release the PoC and details of the exploit.

The problem is, whilst this is the responsible way to do things, it isn't as headline grabbing as dumping the full details on day one. By day 10, when the details would be released, people have already become bored with the topic and have moved onto something new.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2020