Connect with us

Hi, what are you looking for?



Yahoo to Disclose Newly Discovered Vulnerabilities Within 90-Day Window

Yahoo says it will publicly disclose any new vulnerabilities uncovered by its security team within 90 days.

Yahoo says it will publicly disclose any new vulnerabilities uncovered by its security team within 90 days.

According to Chris Rohlf, Yahoo’s senior manager of penetration testing, the company believes the 90-day window will help ensure new vulnerabilities are patched as quickly as possible.

“As part of our efforts to keep our systems secure, the penetration testing team that I run is constantly performing attacks against ourselves and is looking for new ways that our adversaries might attempt to breach our systems,” he blogged. “This process helps us uncover vulnerabilities not only in the software that Yahoo has written but in the common open-source and commercial products that we use on our network. When we discover previously unknown security vulnerabilities (also known as “zero day” vulnerabilities), we immediately address the risks on our own systems to protect our users. While this process is underway we may notify our peers in the Internet community who may also be affected by the issue.”

Advertisement. Scroll to continue reading.

In addition, he noted, Yahoo coordinates with the U.S. Computer Emergency Readiness Team (US-CERT) to ensure that a Common Vulnerabilities and Exposures (CVE) number is assigned to the issue so that others can properly track and manage the vulnerability.

He added that Yahoo holds itself to a 90-day standard when it comes to the discovery and disclosure of its own vulnerabilities as well. Yahoo reserves the right to extend or shorten the timeline based on extenuating circumstances, including active exploitation, or known threats, he blogged, adding that the company will also share technical details so that other parties can assess risk and take any necessary action.

“If we are in good contact with the party responsible for developing and deploying a fix but they need more time then we reserve the right to extend this deadline as necessary,” he blogged. “If we feel no progress is being made on the fix then we reserve the right to publish the vulnerability details so that the internet community is aware of the issue and individual organizations can defend against or patch it themselves. When this occurs we will do our best to provide mitigation guidance where appropriate. We will make every effort possible to contact all relevant parties and help to coordinate the disclosure when needed.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.