"If anything, I would hope that Google could step up to the plate more aggressively and block the malicious content and/or remove it from search results when zero-days are under way," Ollmann said in an emailed statement. "That would be much more productive and have a meaningful impact to the vulnerable users/targets."
The one element experts agree on is that it is highly unlikely that the majority of companies, no matter their size, will be able to get a patch out in seven days. But Wolfgang Kandek, chief technology officer for Qualys, believed the deadline could be reached easily, said that because Google is only asking for an advisory, at the minimum, "as long as the vendor had all administrative hurdles clear, i.e. legal language, formatting, publishing strategy, etc."
"I think it is a step in the right direction," Kandek said of Google's new policy.
Cybercriminals have been finding and exploiting zero-day vulnerabilities at a troubling rate, so vendors have to respond much quicker, Holland said.
"Something has to change within the security industry to keep us from the [company] logo of the week getting hit," Holland said. "Our industry is so depressing sometimes to work in because it's just doom and gloom all the time."
"No questions about it, this is a bold change" he said.
Sign up for CIO Asia eNewsletters.