Sunday, 1 August 2010

Google fixes 7 Chrome flaws

Google have rolled out fixes for seven vulnerabilities in their Chrome browser, paying out two USD$1,337 (as in 'leet') bounties to people who spotted them in the process.

The company also called for changes to the practice of 'responsible disclosure', whereby someone who finds a flaw lets the company know - with Google claiming that some companies hide behind this and let repairs to the flaws drag on for some time, even years in some cases, saying in a blog post:
"We believe that responsible disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Serious bugs should be fixed within a reasonable timescale.

Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software."
Such a repair timescale calls for organised vendors able to quickly deploy fixes, of course - and I wonder whether this is a dig at the likes of Microsoft who are often less timely to fix problems.