Yahoo says it will publicly disclose any new vulnerabilities uncovered by its security team within 90 days.
According to Chris Rohlf, Yahoo’s senior manager of penetration testing, the company believes the 90-day window will help ensure new vulnerabilities are patched as quickly as possible.
“As part of our efforts to keep our systems secure, the penetration testing team that I run is constantly performing attacks against ourselves and is looking for new ways that our adversaries might attempt to breach our systems,” he blogged. “This process helps us uncover vulnerabilities not only in the software that Yahoo has written but in the common open-source and commercial products that we use on our network. When we discover previously unknown security vulnerabilities (also known as “zero day” vulnerabilities), we immediately address the risks on our own systems to protect our users. While this process is underway we may notify our peers in the Internet community who may also be affected by the issue.”
In addition, he noted, Yahoo coordinates with the U.S. Computer Emergency Readiness Team (US-CERT) to ensure that a Common Vulnerabilities and Exposures (CVE) number is assigned to the issue so that others can properly track and manage the vulnerability.
He added that Yahoo holds itself to a 90-day standard when it comes to the discovery and disclosure of its own vulnerabilities as well. Yahoo reserves the right to extend or shorten the timeline based on extenuating circumstances, including active exploitation, or known threats, he blogged, adding that the company will also share technical details so that other parties can assess risk and take any necessary action.
“If we are in good contact with the party responsible for developing and deploying a fix but they need more time then we reserve the right to extend this deadline as necessary,” he blogged. “If we feel no progress is being made on the fix then we reserve the right to publish the vulnerability details so that the internet community is aware of the issue and individual organizations can defend against or patch it themselves. When this occurs we will do our best to provide mitigation guidance where appropriate. We will make every effort possible to contact all relevant parties and help to coordinate the disclosure when needed.”
