Software vendors have to issue patches for 0day-vulnerabilities within one week, while critical flaws must be fixed in a 60-day period, stated Google in a blogpost.
Company experts believe that 60 days is enough to release a fixing update or, at least, a temporary solution.
“Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.”
Blogpost says: “We recently discovered that attackers are actively targeting a previously unknown and unpatched vulnerability in software belonging to another company.” Probably, here Google means recent hack of Drupal.org, as the result of which hackers were able to get access to users’ information, their email addresses, country of residence and hashed passwords.
“Google expects to be held to the same standard and hopes that this new recommended time frame for zero-day vulnerability response will improve the coordination of vulnerability management and the overall state of security on the Web,” claims post.