It would be best (per the HN guidelines) to title this submission with the original article title, "Disclosure timeline for vulnerabilities under active attack." That's a more neutral spin than the headline "Google: 7 days advance notice is enough for actively exploited vulnerability" originally submitted here.
I wouldn't call the current title a "spin"; it's just a short summary of what Google explicitly said in the post that's more informative than the post title.
(Compare this key quote: "Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation.")
It's more neutral because it takes out a bunch of useful information and leaves practically nothing left, like a news story that's unbiased because it doesn't bother actually saying any facts. The original title doesn't even explain that Google is changing their policy. I understand wanting to remove editorializing, but there's a difference between that and adding some detail from the article itself to a rather contentless title.
The original article title is very weak, though – corporate dullspeak that obscures the real news, the new 7-day standard replacing an earlier 60-day standard.
It is possible to improve many headlines, and despite the slightest twinge of editorializing added by the "...is enough..." wording, the submitted headline was both accurate and informative.
Likely, the .br is there because the original submitter (here on HN) is from Brazil. Blogspot tends to redirect to the subdomain of the reader's country for some reason.
Agreed. I don't think there is anything stopping me from registering googleinternetsecurity.blogspot.com or officialonlinesecurity.blogspot.com if they filter out "google."
The Google security folks have been getting more and more selective about what goes under google.com (especially user-generated content) because stealing google.com cookies gives you the user's auth tokens.
I would even say that full disclosure should be standard in such cases. If vulnerability is already exploited, some bad guys already know about it. Keeping it secret, even for a short time, gives these bad guys advantage and hurts users that can not take any extra precautions until the vulnerability is disclosed.
Not sure that follows, since 'bad guys' aren't monolithic.
It may still be less damaging for only 'some' bad guys to be using the vulnerability, and continue to think that only they know it. (Thus, they use it sparingly). Immediate full disclosure means 'all' bad guys learn of the vulnerability, and then perhaps rush to maximally exploit (knowing they're in a race to use ASAP or lose their chance).
7 days is a fine maximum, but not necessarily a target. A malicious 3rd party script should be removed in an hour.
Are there any independent groups that rate a firm's response to an exploit? Other than HN comments and (rare) legal recourse, I don't know what pressure a YC startup faces to do a good job in a holistic sense. It'd be nice if a respected 3rd party were around to shame sites if necessary.
