Fortinet Claims Google's Disclosure Policy Irresponsible

2013-06-04

http://blog.fortinet.com/Google-and-the-Zero-Day-Conundrum/

Google has announced a new policy allowing vendors 60 days to release a patch or advisory for a vulnerability or seven days if it is being actively exploited.

Network security appliance vendor, Fortinet, posted a blog post criticising this decision. In this post (linked above), Fortinet originally attempted to call Google out, saying that Fortinet researchers were sitting on Critical vulnerabilities in Chrome that were much older than 7 or even 60 days.

However, Google Chrome Security team member Justin Schuh fired back at Fortinet's claim that Fortinet had any such Critical security bugs. The list of Chrome bugs from Fortinet shows that the submitted issues have been closed by Google as they are not security issues, let alone Critical exploitable bugs.

After Schuh's tweet(s), Fortinet pulled the blog (Mirror of original post: here) and reposted it without mentioning all of the Chrome 0-day they thought they were sitting on.

A day later, Attrition.org received a report of an XSS vulnerability in Fortinet's website allowing for iframe content injection.: hxxp://kb.fortinet.com/kb/common/extIFrame.jsp?docURL=http://xssed.org


main page ATTRITION feedback