Google Project Zero team announces new policy, there will be a full 90-day buffer period before vulnerability is disclosed

Google’s Project Zero team is known for disclosing a number of serious vulnerabilities, but has also been criticised within the industry for its strict fast-track disclosure policy. So in 2020, Google’s security team tried to develop a new policy that would give the full 90 days of the grace period for problem disclosure. Even so, Google is pleased with the policy performance of the past five years, noting that 97.9% of vulnerabilities reported have been effectively fixed under the current 90-day disclosure policy.

Google Project Zero team announces new policy, there will be a full 90-day buffer period before vulnerability is disclosed

(Instagram via 9to5Google)

By contrast, some bugs in 2014 dragged on for six months or more. But after reviewing its “complex and often controversial” vulnerability disclosure policy, Google has decided to make some changes in 2020.

Businesses that are vulnerable to exposure will be given a default 90-day buffer, regardless of when they will fix the bug. If the business has successfully completed the repair or in advance, you can also contact Google Project Zero to disclose the details of the vulnerability in advance.

The manufacturer fixed the bug within 20 days? Google will announce details of the vulnerability on day 90;

The manufacturer fixed the bug within 90 days? Google will also announce details of the vulnerability on day 90!

Of course, Project Zero wants to increase the adoption of patches across the board as it seeks to drive the “faster patch development” process.

(1) Under the existing policy, Google expects suppliers to be able to quickly develop patches and develop appropriate processes to deliver them to end customers, and we will continue to pursue this urgently.

(2) However, too many times, the supplier simply recorded the vulnerability, without testing or fundamentally fixing the exposed vulnerability. With this in mind, the Project Zero team wants to push for faster patch development in case ulterior motives can easily launch attacks on users, large and small.

(3) The new policy, which has been improved, states that the security of end users will not be improved after the vulnerability is discovered until the bug is properly fixed. Only end users who are aware of the bug and have patched it on their device can benefit from a bug fix.

Finally, Google will give a 12-month trial before the new policy moves to “long-term implementation.”