Google Fixes Chrome and Pushes For Reform

[computerguru1]

Google is making waves in the security vulnerability arena.

The company announced fixes for seven vulnerabilities in its web browser, five of which were discovered under its new incentive program.

Google paid out over $2600 in bounties to those who found security holes in the Chrome web browser. In an effort to increase security, Google has raised the maximum bounty pay out to over $3000.

The bounties and fixes are not the biggest security story coming out of Google however. The company has made a public stand on security issues, advocating that “responsible disclosure” practices should be followed, but with time limits and restrictions.

Responsible disclosure is the practice by which those who find security flaws report them first to the software vendor and do not release the information to the public until the vendor has found a fix for the problem.

Google’s protest argues that method of responsible disclosure encourages companies to withhold information about vulnerabilities. Google claims that some companies postpone finding a fix indefinitely, as they feel no pressure to do so without the public being aware of the problem.

Recently, several researchers have come under fire for revealing security vulnerabilities before a fix was ready.

Google’s stance, which may not be popular within the software community, calls for a 60 day maximum responsible disclosure limit.

This seems to be a reasonable policy, given the fact that many vulnerabilities are taken advantage of before they are made public. Providing a reasonable window of opportunity for a vendor to patch a problem before releasing the info is fair, and may prevent the vulnerability from being exploited.