Skip to main content

Google will give companies 7 days to fix critical bugs before calling them out

Google will force a company's hand if it finds critical vulnerabilities in their systems by publishing the bugs publicly within seven days.

Join leaders in Boston on March 27 for an exclusive night of networking, insights, and conversation. Request an invite here.


scared bug

Google oftentimes finds vulnerabilities in other companies’ systems. When those vulnerabilities are critical, the company used to give you a 60 day grace period. That’s been knocked down to seven days as of today.

The company released a blog post today explaining that while it typically gives companies a 60 grace period to work on vulnerabilities, it is worried the time frames in which more critical vulnerabilities are closed up. In the case of these critical issues, Google says it will alert the affected company and then give its security team seven days to fix the problem. Google plans to give itself the same treatment.

“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations,” said Google security engineers Chris Evans and Drew Hintz in the blog post. “As a result, after seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.”

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Google explained that it is almost more concerned with attacks that are targeted than they are with broader-scale attacks. It used the example of political activists and the repercussions of their identities, locations, and other personal information being leaked.

Of course, while the idea is to make sure that companies are working at full-speed to secure their software, there’s always the chance that a vulnerability might be complex and take more than seven days to patch. In this case, if the information is already out there, hackers can begin exploiting the vulnerability while it’s still live — and on any machines that don’t install the patch once it’s released.

Some hackers, however, have exploited vulnerabilities simply because the company was too slow in shutting them down. In November 2012, a hacker known as Hima hacked into Adobe’s systems because, he said, it takes Adobe too much time to shut down reported bugs. Adobe explained, however, that Hima never actually submitted a bug. The hacker released 150,000 email address and passwords associated with Adobe employees, customers, and partners.

hat tip The Verge; Scared bug image via Shutterstock

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Want must-read news straight to your inbox?
Sign up for VB Daily