← Back to context

Comment by bartkappenburg

8 years ago

From a cloudflare employee:

"We were working to disclose the bug as quickly as possible, but wanted to clean up search engine caches before it became public because we felt we had a duty of care to ensure that this private information was removed from public view. We were comfortable that we had time as Google Project Zero initially gave us a 90 day disclosure window (as can still be seen in their incident tracker), however after a couple of days, they informed us that they felt that 7 days was more appropriate. Google Project Zero ended up disclosing this information after only 6 days."

1 comment

bartkappenburg

Reply
ricardobeat  8 years ago

Straight from the issue tracker:

    They then told me Wednesday, but in a later reply started saying Thursday
    [...] If the date keeps extending, they'll reach our "7-day" policy for actively exploited attacks.

    https://security.googleblog.com/2013/05/disclosure-timeline-for-vulnerabilities.html