CINXE.COM
Application Security – Google
<!DOCTYPE html> <html class="google mmfb" lang="en"> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://www.google.com/about/appsecurity/","20210519061541","https://web.archive.org/","web","/_static/", "1621404941"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" /> <!-- End Wayback Rewrite JS Include --> <meta charset="utf-8"> <script src="//web.archive.org/web/20210519061541js_/https://www.gstatic.com/safen-me-up.js" nonce="QZbfaj8m4wGx3YEb5k3V7w"></script> <script nonce="QZbfaj8m4wGx3YEb5k3V7w"> if (window.safenup_status !== 'ok') { document.write('<PLAINTEXT>'); } </script> <script nonce="QZbfaj8m4wGx3YEb5k3V7w"> (function(H){H.className=H.className.replace(/\bgoogle\b/,'google-js')})(document.documentElement) </script> <meta content="initial-scale=1, minimum-scale=1, width=device-width" name="viewport"> <title> Application Security – Google </title> <script src="//web.archive.org/web/20210519061541js_/https://www.google.com/js/google.js" nonce="QZbfaj8m4wGx3YEb5k3V7w"></script> <script nonce="QZbfaj8m4wGx3YEb5k3V7w"> new gweb.analytics.AutoTrack({profile:"UA-51571019-1"}); </script> <link href="//web.archive.org/web/20210519061541cs_/https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700|Product+Sans:400&lang=en" rel="stylesheet" nonce="QZbfaj8m4wGx3YEb5k3V7w"> <link href="/web/20210519061541cs_/https://www.google.com/about/appsecurity/css/default.css" rel="stylesheet" nonce="QZbfaj8m4wGx3YEb5k3V7w"> </head> <body> <div class="maia-header" id="maia-header" role="banner"> <div class="maia-aux"> <h1> <a href="/web/20210519061541/https://www.google.com/"><img alt="Google" src="//web.archive.org/web/20210519061541im_/https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_116x41dp.png" srcset="//web.archive.org/web/20210519061541im_/https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_116x41dp.png 2x"></a> </h1> <h2> <a href="/web/20210519061541/https://www.google.com/about/appsecurity/"> Application Security</a> </h2><a class="maia-teleport" href="#content">Skip to content</a> <div class="maia-util"> <div> <img src="/web/20210519061541im_/https://www.google.com/about/appsecurity/images/flag.jpg" alt="Qm91bnR5Q29ue2JlYjkzZjY4ZmNmMDQ1N2M1OTdkYTg0YTZjZGI0MGMzZTk4NWQxYjB9"> </div> </div> </div> </div> <div class="maia-nav" id="maia-nav-x" role="navigation"> <div class="maia-aux"> <ul> <li>Home </li> <li> <a href="/web/20210519061541/https://www.google.com/about/appsecurity/learning/xss/">Learning</a> </li> <li> <a href="/web/20210519061541/https://www.google.com/about/appsecurity/programs-home/">Reward Programs</a> </li> <li> <a href="/web/20210519061541/https://www.google.com/about/appsecurity/hall-of-fame/">Hall of Fame</a> </li> <li> <a href="/web/20210519061541/https://www.google.com/about/appsecurity/research/">Research</a> </li> </ul> </div> </div> <div id="maia-main" role="main"> <div class="maia-teleport" id="content"></div> <div class="maia-cols"> <div class="maia-col-7 intro"> <h1> How Google handles security vulnerabilities </h1> <p> As a provider of products and services for many users across the Internet, we recognize how important it is to help protect user privacy and security. We understand that secure products are instrumental in maintaining the trust users place in us and we strive to create innovative products that both serve user needs and operate in the user’s best interest. </p> </div> <div class="maia-col-5 intro"> <div class="maia-notification"> <p> This site provides information for <strong>developers and security professionals</strong>. </p> <p> If you are a Google user and have a security issue to report regarding your personal Google account, please visit <a href="https://web.archive.org/web/20210519061541/https://www.google.com/contact/">our contact page</a>. To find out how to stay safe online, take the <a href="https://web.archive.org/web/20210519061541/https://myaccount.google.com/security-checkup">Google Security Checkup</a>. </p> </div> </div> </div> <h2> Reporting security issues </h2> <p> If you believe you have discovered a vulnerability in a Google product or have a security incident to report, go to <a href="https://web.archive.org/web/20210519061541/https://goo.gl/vulnz">goo.gl/vulnz</a> to include it in our <a href="https://web.archive.org/web/20210519061541/https://www.google.com/about/appsecurity/reward-program/">Vulnerability Reward Program</a>. Upon receipt of your message we will send an automated reply that includes a tracking identifier. If you feel the need, please use <a href="https://web.archive.org/web/20210519061541/https://services.google.com/corporate/publickey.txt">our PGP public key</a> to encrypt your communications with us. </p> <h2> Google’s vulnerability disclosure policy </h2> <p> We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why Google adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. That deadline can vary in the following ways: </p> <ul> <li>If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day. </li> <li>Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch. </li> <li>When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action—within 7 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. </li> </ul> <p> As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard. </p> <p> This policy is strongly in line with our desire to improve industry response times to security bugs, but also results in softer landings for bugs marginally over deadline. We call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find our record and reasoning compelling. Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the Internet. </p> </div> <div id="maia-signature"></div> <div class="maia-footer" id="maia-footer"> <div id="maia-footer-global"> <div class="maia-aux"> <ul> <li> <a href="/web/20210519061541/https://www.google.com/">Google</a> </li> <li> <a href="/web/20210519061541/https://www.google.com/intl/en/about/">About Google</a> </li> <li> <a href="/web/20210519061541/https://www.google.com/intl/en/policies/privacy/">Privacy</a> </li> <li> <a href="/web/20210519061541/https://www.google.com/intl/en/policies/terms/">Terms</a> </li> </ul> </div> </div> </div> <script src="//web.archive.org/web/20210519061541js_/https://www.google.com/js/maia.js" nonce="QZbfaj8m4wGx3YEb5k3V7w"></script> </body> </html> <!-- FILE ARCHIVED ON 06:15:41 May 19, 2021 AND RETRIEVED FROM THE INTERNET ARCHIVE ON 20:47:20 Nov 27, 2024. JAVASCRIPT APPENDED BY WAYBACK MACHINE, COPYRIGHT INTERNET ARCHIVE. ALL OTHER CONTENT MAY ALSO BE PROTECTED BY COPYRIGHT (17 U.S.C. SECTION 108(a)(3)). --> <!-- playback timings (ms): captures_list: 0.661 exclusion.robots: 0.028 exclusion.robots.policy: 0.017 esindex: 0.015 cdx.remote: 7.262 LoadShardBlock: 389.655 (6) PetaboxLoader3.datanode: 188.882 (7) PetaboxLoader3.resolve: 228.72 (3) load_resource: 202.024 -->