14 DAY TRIAL // Google has a policy of disclosing any critical security bugs ("zero days") it finds in other people's software and systems after 60 days if the vulnerabilities haven't been fixed in that time.
The period should be enough for most companies to fix those issues, and Google believes the public is best served by being informed.
Many companies don't like the policy, but Google is now getting even more aggressive and says that it will publicly disclose details on any security vulnerability actively exploited in the wild within seven days of notifying the appropriate software vendor.
Google recognizes that this is an aggressive timeline, but believes that, especially for actively exploited bugs, people should be aware of the risk and be able to take their own measures to protect themselves if their software vendor isn't able to.
"The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised," Google explained.
"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information," it added.
Google regularly stumbles upon vulnerabilities in software from various companies and organizations, as its security researchers investigate issues relating to Google products.
The company, like many others, notifies those affected and keeps quiet about the vulnerability to give the other company time to fix it.
This has long been the standard in the security research world; revealing details about a vulnerability will invite people to exploit it. However, some companies take advantage of this and fail to address the issue for weeks or months, knowing that the researchers won't come public.
The more recent trend is to disclose vulnerabilities shortly after they are found, whether they've been fixed or not. In the most extreme examples, researchers go public immediately after discovering the bug.