16 April 2021

Google’s Project Zero updates its vulnerability disclosure policy to give companies more time to roll out patches


Google’s Project Zero updates its vulnerability disclosure policy to give companies more time to roll out patches

The Google Project Zero security team has updated its vulnerability disclosure policy to include a new 30-day grace period to give users more time to install patches before technical details of a vulnerability is shared online.

Previously, Project Zero would give software vendors 90 days to address a vulnerability and would disclose the technical info on the flaw when it is fixed, or when the 90-day disclosure period comes to an end, regardless whether the vulnerability was fixed.

According to new guidelines, while the 90-day disclosure period remains intact, the team will wait 30 days before sharing technical details of a vulnerability that has been patched within the 90- or 7-day (for a zero-day) deadlines. In case of zero-day vulnerabilities vendors can request a 3-day grace period, Project Zero team lead Tim Willis explained.

If a bug is not fixed by the end of 90-, or 7-day disclosure period, the technical details will be published immediately.

“The goal of our 2021 policy update is to make the patch adoption timeline an explicit part of our vulnerability disclosure policy. Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption.

This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive. Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines,” Willis wrote.

The team is also considering moving to a "84+28" model for 2022, time periods divisible by seven, so disclosure deadlines won’t accidentally fall on weekends.

“While the 90+30 policy will be a slight regression from the perspective of rapidly releasing technical details, we're also signaling our intent to shorten our 90-day disclosure deadline in the near future. We anticipate slowly reducing time-to-patch and speeding up patch adoption over the coming years until a steady state is reached,” Willis said.

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021