Its security team Yahoo stated that any vulnerability discovered in penetration tests will be disclosed to the public after a period of 90 days.
One of the group's responsibilities is to assess its level of security software που γράφτηκε από το Yahoo δοκιμάζοντας και τον code και από τρίτους φορείς και που έχει ενσωματωθεί στην υπηρεσία που παρέχεται από την εταιρεία.
The group calls itself the Yahoo Paranoids, and, led by Chris Rohlf, attacks infrastructure to find new vulnerabilities that can be exploited.
"This process helps us uncover vulnerabilities points, not just in software that Yahoo has written, but in open-source and commercial products that we use on our network," Mr. Rohlf wrote Tuesday in a message to Tumblr.
The task of the new team is when they reveal unknown vulnerabilities in the code (also known as zero-day vulnerabilities) to be corrected immediately by experts, who at the same time will inform the other bodies that may be affected by the problem and the US-CERT (Computer Emergency Readiness Team).
Although 90 days may seem like a short time for the code developer to fix a problem, a longer time frame will increase the risk to users, giving cybercriminals a chance to find fault with themselves. and take advantage of it.
Nevertheless, Mr. Rohlf reports that: “We're keeping it right to extend or shorten said schedule based on circumstances such as for already exploitable vulnerabilities, or the existence of known threats”.
Cybercriminals are usually successful because they are constantly on the lookout for zero-day vulnerabilities that, until they are found out, they will have violated the victim or victims. Yahoo considers that it is taking a new dynamic stance against this practice which covers in addition to its own codes and the codes of the third parties it cooperates with.
Publishing vulnerability after 90 days depends on many factors, including the difficulty in dealing with the defect, which may sometimes take longer to release a patch. However, if there has been little or no progress since the discovery of the vulnerability, Yahoo reserves the right to notify it in order to force companies to take immediate defensive action or to prepare a patch.
