The policy is *highly* flexible, any number of days between 0 and 90 is acceptable. In addition, if an update or patch was already scheduled within 14 days of the deadline, we offer a "grace period" to align the schedule.
-
-
Replying to @taviso
So in your opinion (or is it Google’s opinion?), all vulnerabilities (from low to critical) should be fixed within 90 days?
3 replies 0 retweets 8 likes -
Replying to @shhnjk
Three months is way too high in my opinion, it's a compromise. In open source, the norm is closer to 90 hours. Linus famously tells people not to tell him about bugs if you want them kept secret for more than two weeks, because he'll just fix them.
2 replies 5 retweets 63 likes -
Replying to @taviso
But even well funded open source software like Chrome still has a dozen of vulns unfixed for a year (and this is just my bugs). I’m hoping that you’ll convince Chrome to fix my bugs within 90 hours so that I can get bounties within a week :D
1 reply 4 retweets 17 likes -
Replying to @shhnjk
I don't really have any opinion on bounties sorry, my first thought is that the bounty operator can dictate any terms they like and you have the right to not participate? Happy to hear the counter-argument.
2 replies 0 retweets 5 likes -
Replying to @taviso
Oh, bounty part was just a humor
My point was, even Chrome can’t do 90 days deadlines for all vulnerabilities.1 reply 0 retweets 2 likes -
Replying to @shhnjk
I think Chrome has a pretty stellar track record on this, and can totally manage 90 days. Give me the bug number and I'll take a look, it's hard for me to believe they're sitting on a 0day for over a year.
4 replies 0 retweets 13 likes -
Replying to @taviso
Following are vulns (per Chrome team) that's unfixed for more than a year (oldest one is reported on 2015
)
538562
771596
772759
794382
799041
802007
821625
821626
821628
821630
821632
821634
823241
823737
830101
830808
831731
831761
8478481 reply 0 retweets 20 likes -
Replying to @shhnjk
I clicked through a few, they mostly don't seem like they need to be private to me. I can ping some Chrome developers and say you want them public if you like, it seems fine to me... I would have just made these public.
2 replies 0 retweets 2 likes -
I checked, they said just comment on the bugs you want opened or ask via usual channels 
-
-
Replying to @taviso
Got it. Hope you can now believe that it’s difficult for even Chrome to fix all vulns within 90 days
1 reply 0 retweets 4 likes -
Replying to @shhnjk
When did I say that all vulnerabilities can be fixed in 90 days? I certainly think that all of those bugs could be fixed in 90 days, but it's a totally rational decision to not fix them and I do think they should be public.
1 reply 0 retweets 4 likes - 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.