Google revises Project Zero’s Disclosure Policy to help improve zero-day vulnerability fixes

The Project Zero team says the 90+30 policy will give vendors more time than its current policy.

| Updated on: Aug 21 2022, 16:30 IST
Google releases Policy and Disclosure: 2021 Edition
Google releases Policy and Disclosure: 2021 Edition (Google )
Google releases Policy and Disclosure: 2021 Edition
Google releases Policy and Disclosure: 2021 Edition (Google )

Project Zero, Google's dedicated team of security analysts, has made changes to its Disclosure Policy to help reduce the time it takes for vulnerabilities to get fixed. Henceforward the security group will not make the technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. According to the group, the extra days aim at user patch adoption.

Google Project Zero's revised policy says that if an issue remains unpatched after 90 days, technical details are made public immediately. If the fix is plugged within the 90-day timeframe, it will publish the details 30 days after the fix is released. The team also gives a 14-day grace period. If both parties agree, vulnerabilities can be disclosed earlier as well.

ALSO READ: IBM uncovers more attacks against Covid-19 vaccine supply chain

In the case of zero-day vulnerability actively exploited in the wild, Project Zero will make the technical details public immediately if the issue remains unpatched after seven days. If the vendor has patched the issue within the stipulated time, technical details will be published 30 days after the fix. Vendors also have the option to request an additional 3-days grace period. Earlier, Google Project Zero did not give any grace period and made the details public after seven days of reporting regardless of when the bug is fixed.

The full list of changes for 2021
The full list of changes for 2021 (Google)
image caption
The full list of changes for 2021 (Google)

According to the revised Disclosure Policy, Google aims to reduce the time between reporting a bug and a fix rolled out to users. The policy aims to ensure comprehensive fixes. It also hopes it will reduce the time between a patch rollout and users adoption.

ALSO READ: 97% of organisations faced mobile malware attack in 2020: Checkpoint report


“This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive. Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines,” Google Project Zero further said.

Follow HT Tech for the latest tech news and reviews , also keep up with us on Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 18 Apr, 11:20 IST