Google‘s Project Zero is trialing a new vulnerability disclosure policy for 2021. As per the updated policy, the Google security team will wait an extra 30 days before disclosing vulnerability details to the public. Developers still only get 90 days to fix the bugs but Google will wait longer to release the details. This would give users more time to update their systems to the latest patch.
Project Zero will wait an extra 30 days before disclosing vulnerability details
Project Zero has always followed a 90-day vulnerability disclosure policy since its inception back in 2014. This essentially means developers got 90 days to fix the bugs that the Google team has discovered on their software. It even offered a 14-day grace period if requested by the concerned developer.
If the developer fixes the bug within the 90 days period (or during the grace period), Google will release details of the vulnerability immediately. If no fix arrives even after the 90-day window is complete, the company will anyway release the vulnerability details. This would make users aware of the security vulnerabilities their device or software may be having.
However, it also increased the chances of the users becoming a victim of exploitation. Of course, Google had to release the vulnerability details at some point if the developers aren’t working on a fix. But publishing the details immediately after a fix is released didn’t give users enough time to update their systems to the latest patch. As such, they remain vulnerable to security attacks.
To that end, Project Zero last year launched a trial of a “Full 90” policy. Under this policy, Google would wait for full 90 days (plus a 14-day grace period) to disclose the vulnerability details irrespective of when the developer rolls out a fix. So whether the fix arrives in 10 days or on the 90th day, Google would release all details after 90 days only.
However, the latter deadline still didn’t address the concerns that users aren’t getting enough time to update their systems. As such, the company is now trialing a new policy where it would wait until the 120th day to share the details of a vulnerability if the developer patches it before the 90 days (104 days with the grace period).
A 3-day grace period for bugs that are being actively exploited in the wild
The Project Zero team will also grant a 3-day grace period for bugs that are being actively exploited against users. The current deadline for such security vulnerabilities is 7 days. The 30 days extended wait period applies to these bugs as well. So if these bugs get a fix within the 7-day window (or 10 days with the grace period), Google will disclose the details after 37 days.
Google may disclose the details early with mutual agreement with the developer though. The company says around 97.7 percent of the company’s vulnerability reports get a fix within its 90-day disclosure policy. Its updated policy now gives users more time to adopt the fixes, thus reducing the exploitation risk. The new Project Zero vulnerability disclosure policy is in effect starting April 15th, 2021.