clock menu more-arrow no yes mobile

Filed under:

Google’s Project Zero is now being more considerate with how it discloses security vulnerabilities

New, 23 comments

‘Full 90 days by default, regardless of when the bug is fixed’

Illustration by Alex Castro / The Verge

Google’s Project Zero cybersecurity team is trialling a new policy where it won’t make security vulnerabilities public early after a fix has been issued. “Full 90 days by default, regardless of when the bug is fixed,” is the team’s new policy, which it will trial for a year before deciding whether to adopt it permanently.

Under the old system, Project Zero’s researchers would give vendors 90 days to fix an issue before making the problem public. However, if a patch was issued within that 90 day window, it would disclose the vulnerability early. This can be a problem, because it means users have to rush to patch a vulnerability before hackers can exploit it. A vulnerability might be fixed by the company, but that doesn’t matter if the patch hasn’t been widely adopted.

So now, regardless of whether a patch is issued 20 days or 90 days after Project Zero makes a vendor aware of the problem, it will still wait 90 days to make the issue public. There are a couple of exceptions, though. One is when there’s “mutual agreement” between the two companies to disclose early, and Project Zero may also extend the deadline by 14 days if it’s taking longer for a vendor to put together a patch. The seven day deadline for vulnerabilities that are being exploited in the wild will remain unchanged.

As well as giving patches more time to be adopted, Project Zero says it hopes the new policy will improve consistency, giving vendors a better idea of when a vulnerability will be made public. It also says it’s eager to see more iterative and thorough patches issued, thanks to the time vendors will now have between a patch initially being issued and the vulnerability it addresses being made public.

Despite the changes, the Project Zero team says it’s broadly happy with how its disclosure period has worked until now. In 2014, when the team started its work, it says that bugs were sometimes not fixed six months after being discovered. Now, of the issues it’s identified (of which there have been many), it says 97.7 percent are patched within its 90 day window.