Last week, Google made a decision to employ a 7 day disclosure policy on taking action on fixing vulnerabilities - http://googleonlinesecurity.blogspot.se/2013/05/disclosure-timeline-for-vulnerabilities.html. Below is a comment from Jeremiah Grossman, CTO of WhiteHat Security on the new policy by Google:
In my personal opinion, the "full disclosure" debate is dead. When is the right time to disclose what vulnerability information to whom, is just as subjective as it is irrelevant. No one can really say with any certainty that 6 months, 60 days, or 7 days is reasonable. The fact is whether it is Google or anyone else who is disclosing, they are both doing the vendor a service and also acting, at least in part, in their own personal interest. The question we really should be asking is how does Google benefit from shortening disclosure deadlines.
Speaking for WhiteHat, the vulnerabilities we find are typically one-off in custom web application software. These vulnerabilities are not, by traditional definitions, "0-days." When we do uncover a 0-day, which happens from time to time, we're more in the non-disclosure camp. The vulnerabilities we find, including the 0-days, are the property of our customers. They can decide when or if to disclose them to the affected vendors.