US (BBN)-Google has been in the news for a rift with Microsoft over its strict 90-day vulnerability disclosure, where it makes security vulnerabilities public if vendors don’t take steps to remedy them within the stipulated time period.
Now, the Search giant has said it will give vendors a 14-day grace period if they promise to release a patch and fix the issue within two weeks, reports firstpost.com.
Google’s Project Zero is known to track software vulnerabilities and then report them to vendors. It gives vendors a 90-day window to fix the issue.
Along with the 14 days extension, Google has also said that it will not disclose the vulnerability to the public on weekends or US public holidays, in case the deadline falls on these days.
“We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” Google said in a blogpost.
However, this doesn’t mean Google has made any changes to how it will act if the vulnerability is not fixed.
It will still go ahead and publish the vulnerability if the issue isn’t fixed. Earlier this year, Google has openly published a Windows 8.1 vulnerability that gives low-level users administrator rights.
Given that the security flaw has been revealed without any fix, it could pose a threat to some Windows users.
Google said it gave Microsoft enough time to fix the problem before the codes went public on 29 December.
It further said Microsoft was informed about the issue on September 20 and its been 90 days since the security issue was brought to its notice.
BBN/SK/AD-16Feb15-3:30pm (BST)