Vulnerability disclosure policies have become a hot topic in recent years. Security researchers generally practice “responsible disclosure”, which involves privately notifying affected software vendors of vulnerabilities. The vendors then typically address vulnerability at later date, and researcher reveals full details publicly at or after this time.
A competing philosophy, “full disclosure”, involves researcher making full details of a vulnerability available to everybody simultaneously, giving no preferential treatment to any single party.
“A lot of talented security researchers work at Google, who discover many vulnerabilities in products from vendors across the board, and share a detailed analysis of their findings with vendors to help them get started on patch development. We’ll be supportive of following practices by our researchers: » Placing a disclosure deadline on any serious vulnerability they report, consistent with complexity of the fix » Responding to a missed disclosure deadline or refusal to address problem by publishing an analysis of vulnerability, along with any suggested workarounds » Setting an aggressive disclosure deadline where there exists evidence that blackhats already have knowledge of a given bug,” stated Google.