Google’s Project Zero, a team of dedicated security engineers tasked with reducing the number of “zero day” vulnerabilities around the entire internet, says it will give developers an extra 30 days before disclosing vulnerability issues, in order to give end-users time to patch their software.
Developers will still have 90 days to fix bugs, but Project Zero will wait another 30 days before it discloses the details of the bug publicly. If a flaw is being actively exploited in the wild, a company will have seven days to issue a patch, and a three-day grace period if requested. But Google Project Zero will wait 30 days before it discloses technical details.
In 2020, Google announced a trial to allow developers 90 days to work on patch development and adoption, with the idea that if a dev wanted more time to allow users to install a patch, they’d ship the fixes early in the 90-day period. “In practice however, we didn’t observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch,” Project Zero’s Tim Willis wrote in the blog post. “In other words, the implied timeline for patch adoption wasn’t clearly understood.”
The goal of the 2021 update, Willis wrote, is to make the patch adoption timeline an explicit part of its vulnerability disclosure policy. “This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive,” he wrote. “Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines.