Google has a fairly large security research team whose members are often credited by third-party vendors, including large ones like Adobe and Microsoft, with discovering vulnerabilities in their products.
However, while Google's new disclosure recommendation will most likely be followed by the company's own security researchers, it remains to be seen if it will also be adopted by third-party researchers or if it will influence vendors.
"Sadly, things don't change from one day to another," Kasper Lindgaard, the head of research at vulnerability management firm Secunia, said Thursday via email. "We do hope that all vendors will be influenced by this, that they will continue to improve their patching response times and accept their responsibility to ensure that 0-day vulnerabilities are patched as soon as possible."
Lindgaard described Google's seven-day time frame for coming up with a fix or workaround for a previously unknown vulnerability that is being actively exploited by attackers as being "sensible."
"To respond within 7 days with a properly tested patch without regressions is not always going to be possible, but in most cases it should be possible to come up with workarounds, if a patch is not available," he said. "So yes, I would expect that, in most instances of highly critical 0-day vulnerabilities, a vendor should be able to produce at least a workaround within 7 days."
Large software vendors like Microsoft, Adobe and Oracle, whose products are a frequent target of zero-day attacks, have experience in dealing with such incidents and have processes in place that allow them to respond in a timely manner most of the time. However, smaller vendors might be less prepared to deal with zero-day vulnerabilities and alert their customers.
"Our policy has always been to fix exploits in the wild as soon as possible," said Heather Edell, Adobe's senior manager of corporate communications, via email. "This is usually within seven days, unless there are extenuating circumstances."
Oracle did not immediately respond to a request for comment sent Thursday regarding Google's new recommended timeline for zero-day vulnerability disclosures.
On its part, Microsoft, which also finds vulnerabilities in third-party products, follows a disclosure process that it calls Coordinated Vulnerability Disclosure (CVD). This process doesn't use disclosure deadlines, as Microsoft prefers to coordinate with the affected vendors until fixes are released.
However, in cases of unpatched vulnerabilities in third-party products that are being actively exploited or that become publicly known, Microsoft researchers work with the affected vendor to release an advisory with potential mitigations and workarounds before a fix is ready.