16 April 2021

Google’s Project Zero updates its vulnerability disclosure policy to give companies more time to roll out patches


Google’s Project Zero updates its vulnerability disclosure policy to give companies more time to roll out patches

The Google Project Zero security team has updated its vulnerability disclosure policy to include a new 30-day grace period to give users more time to install patches before technical details of a vulnerability is shared online.

Previously, Project Zero would give software vendors 90 days to address a vulnerability and would disclose the technical info on the flaw when it is fixed, or when the 90-day disclosure period comes to an end, regardless whether the vulnerability was fixed.

According to new guidelines, while the 90-day disclosure period remains intact, the team will wait 30 days before sharing technical details of a vulnerability that has been patched within the 90- or 7-day (for a zero-day) deadlines. In case of zero-day vulnerabilities vendors can request a 3-day grace period, Project Zero team lead Tim Willis explained.

If a bug is not fixed by the end of 90-, or 7-day disclosure period, the technical details will be published immediately.

“The goal of our 2021 policy update is to make the patch adoption timeline an explicit part of our vulnerability disclosure policy. Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption.

This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive. Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines,” Willis wrote.

The team is also considering moving to a "84+28" model for 2022, time periods divisible by seven, so disclosure deadlines won’t accidentally fall on weekends.

“While the 90+30 policy will be a slight regression from the perspective of rapidly releasing technical details, we're also signaling our intent to shorten our 90-day disclosure deadline in the near future. We anticipate slowly reducing time-to-patch and speeding up patch adoption over the coming years until a steady state is reached,” Willis said.

Back to the list

Latest Posts

ShadowSyndicate ransomware group targeting Aiohttp flaw

ShadowSyndicate ransomware group targeting Aiohttp flaw

Organizations are urged to update to Aiohttp v3.9.
18 March 2024
The International Monetary Fund discloses cyberattack affecting 11 email accounts

The International Monetary Fund discloses cyberattack affecting 11 email accounts

The organization did not share any additional details regarding the nature of the attack.
18 March 2024
E-Root Marketplace operator sentenced to 3.5 years in prison

E-Root Marketplace operator sentenced to 3.5 years in prison

It is estimated that over 350,000 compromised credentials were listed for sale on the E-Root Marketplace.
18 March 2024