Skip to main content

Google gives developers more time to fix security flaws before revealing them

Google gives developers more time to fix security flaws before revealing them

Share this story

Google's Project Zero, announced last year as a way to bolster internet security, had Google engineers identifying "zero day" vulnerabilities in software and services — previously unknown security flaws that developers have had no time to patch or fix. When its engineers found such vulnerabilities, Google would originally give the developers a strict 90-day window to issue a fix, before making an exploit or security hole public. At the time of launch, the search giant believed the timeframe would give developers enough time to cook up a fix, but in the face of criticism, it's now extended that 90-day period.

If developers contact Google and indicate that a fix is being put together, but won't be ready in time for the 90-day window, then they can receive another 14-day grace period in which to put a patch out without the security hole being made public. Google has also agreed to move deadlines that fall on weekends or national holidays to the next concurrent working day, and has said in extreme circumstances, it will move deadlines forwards or backwards.

Microsoft criticized Google for outing a security flaw in Windows 8.1 two days before a patch

The change comes a month after Microsoft openly criticized Google for publishing information on a Windows 8.1 vulnerability two days before it was scheduled to be fixed. Microsoft said Google's approach was "less like principles and more like a 'gotcha,'" arguing that customers would suffer as a result. After making details of another security flaw in Windows 8.1 public before Microsoft could ready a fix in December last year, Google defended its 90-day period, telling Engadget that its disclosure deadlines were "currently the optimal approach for user security."

The slight tweaks to the policy now give developers slightly more time to complete their work, but Google is by no means the most demanding of all security research groups when it comes to zero day discoveries. Google says its 90-day policy is a "middle-of-the-road deadline timetable" in comparison with its industry peers. The Zero Day Initiative — a program that rewards researchers for spotting zero day vulnerabilities — offers a more lenient 120-day window in which developers can issue a fix, while Carnegie Mellon's CERT only gives developers 45 days before spilling the beans on security holes.