The policy is *highly* flexible, any number of days between 0 and 90 is acceptable. In addition, if an update or patch was already scheduled within 14 days of the deadline, we offer a "grace period" to align the schedule.
We do publish all our vulnerabilities, including vulnerabilities in Google products, we're transparent and apply our policy consistently to all vendors. I don't understand your other question.
-
-
The Google + vulnerability shows that in fact Google does not disclose all vulnerabilities, so how many more have not been disclosed? If a vulnerability was discovered, and has gone past 90 days, as shown by Jun, why are you asking permission from devs to make it public?
-
Uhhhhh, I work on Project Zero, I can't control what Google+ does any more than I can control what the cafeteria serves.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
My point was, even Chrome can’t do 90 days deadlines for all vulnerabilities.
)
538562
771596
772759
794382
799041
802007
821625
821626
821628
821630
821632
821634
823241
823737
830101
830808
831731
831761
847848