Google Project Zero
Companies will have to patch newly discovered zero-day bugs during a grace period of 30 days, according to the new disclosure policy of Google Project Zero. The aim of this change is to speed up the time needed for the development and adoption of new vulnerability patches.
Last year, Project Zero, a team of Google researchers known for digging up for critical zero-day flaws both in Google’s and other rival companies’ software, started disclosing the technical specifics of bugs detected by the team ninety days after the first vulnerability report.
A blog post published on Thursday reveals that the research team will now postpone disclosure of technical information about discovered weaknesses for up to 30 days after a patch is released if the patch is developed during the 90-day timeframe.
This new change in the disclosure policy will give vendors 90 days to develop patches, and 30 days to adopt the available patches in their software.
The 90+30 policy is believed to clearly set apart the time the industry has for patch development from the time that is given for the adoption of the released patches, as well as suppress the debates about technical details sharing and attacker-defender trade-offs, while at the same time minimizing the time-frame during which end users are vulnerable to newly discovered flaws.
Vulnerabilities that have no patch release during the 90-day timeframe after the Project Zero team has discovered them will have to be disclosed publically after the given period expires.
A similar disclosure policy is applied to in-the-wild exploits. Until now, Project Zero was disclosing such exploits along with their technical details after seven days of their initial report.
In accordance with the new disclosure policy, researchers will not disclose technical information about a detected in-the-wild exploit for up to 30 days only if a patch is issued within the 7-day warning timeframe. Vendors of vulnerability impacted products will be given the option to request a grace period of three days until the technical information of the detected bug is publically disclosed by Project Zero.
Google expects to make things clearer for vendors with the new 90+30 policy and to help them patch systems more quickly and hence to increase their user base adoption time.