Yahoo Security Team to Reveal Vulnerabilities 90 Days After Finding Them

Status
Not open for further replies.

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Yahoo’s security team disclosed that every vulnerability discovered in their penetration tests would be revealed publicly after a period of 90 days.

One of the team’s responsibilities is to assess the security level of the software written by Yahoo, as well as of code from third-parties that has been integrated in services provided by the company.
Affected entities will be informed of the problem found
Called Yahoo Paranoids, and led by Chris Rohlf, the group runs attacks against the infrastructure in order to find new weaknesses a threat actor may be able to exploit.

“This process helps us uncover vulnerabilities not only in the software that Yahoo has written but in the common open-source and commercial products that we use on our network,” Rohlf wrote on Tuesday in a Tumblr post.

As per the new policy, zero-days are remedied immediately by the security experts, who also alert other entities that may be impacted by the problem, as well as the US-CERT (Computer Emergency Readiness Team) in order to issue a Common Vulnerabilities and Exposures (CVE) identifier for better tracking of the issue.

Although 90 days may seem like a short period to allow the developer of the code to fix a glitch, a wider time frame would only increase the risk to the users by giving cybercriminals the opportunity to find the flaw themselves and exploit it. This is not a set period of time, though.

“We reserve the right to extend or shorten this timeline based on extenuating circumstances, including active exploitation, or known threats,” Rohlf writes.
Security experts understand that sometimes 90 days may not be enough
Cybercriminals are successful because they are constantly searching for zero-days that can be exploited, and through this disclosure policy, Yahoo takes a proactive stance against this practice.

Not just third-party code is covered by this policy, as Yahoo software will be subject to the same treatment, too. Of course, since the communication is internal, fixing the problems in the assigned time line should be easier to achieve.

Public disclosure of the vulnerability after 90 days depends on several factors, one of them being the difficulty in addressing the flaw, which sometimes may require more time for a patch to be released.

However, if no or very little progress is recorded since the date of the private report, Yahoo reserves the right to make everything public, in order to give organizations the possibility to take defensive measures or to prepare a patch themselves.
 

ahmad123

Level 4
Verified
Aug 31, 2014
171
Yahoo takes a proactive stance being the difficulty in addressing the flaw because they are constantly searching for zero;)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top