The 30-day grace period is designed to speed up the rollout and adoption of patches
Google’s Project Zero team has announced that it will give vendors and companies an extra 30-day period before it discloses the technical details of a vulnerability.
“Starting today, we’re changing
our Disclosure Policy to refocus on reducing the time it takes for
vulnerabilities to get fixed, improving the current industry benchmarks on
disclosure timeframes, as well as changing when we release technical
details,” said
Tim Willis, the senior
security engineering manager of Google’s elite bug-hunting crew.
Previously, in line with
the 2020 disclosure policy, vendors were afforded a 90-day cycle between the
initial vulnerability was reported and until its details were publicly
disclosed, with the public disclosure taking place regardless of whether the
bug was fixed or not.
However, according to its
new vulnerability disclosure policy, developers will still have 90 days to fix
the vulnerability. However, Project Zero will give them another 30 days before
it publishes details about the flaw, as long as the bug is fixed within that
period. The ultimate aim is also to give users enough time to patch their
systems.
Longer to
patch
The new disclosure policy
also affects vulnerabilities that are actively exploited in the wild. While
previously these flaws were automatically disclosed seven days after they were
reported, vendors can now request a three-day grace period. If the bug is fixed
within seven days, Project Zero will wait 30 days before it reveals technical
details about the security flaw.
The main idea behind the
2020 policy was that vendors who wanted to give users more time to patch their
systems would focus on shipping the fixes earlier in the 90-day cycle. However,
as Willis pointed out, that wasn’t the case, saying that Project Zero “didn’t
observe a significant shift in patch development timelines”.
“The goal of our 2021
policy update is to make the patch adoption timeline an explicit part of our
vulnerability disclosure policy. Vendors will now have 90 days for patch
development, and an additional 30 days for patch adoption,” he added.
The new model was adopted
due to fears that transitioning to a 60+30 policy would be considered too quick
and disruptive. But in the future, Google anticipates that it will be able to
steadily lower the patch
development and adoption timelines for vendors.
“Moving to a “90+30” model
allows us to decouple time to patch from patch adoption time, reduce the
contentious debate around attacker/defender trade-offs and the sharing of
technical details, while advocating to reduce the amount of time that end users
are vulnerable to known attacks,” Willis concluded. Project Zero is known for a number
of high-profile disclosures; a few months ago, the
team reported multiple zero-days affecting Chrome, Windows and Apple.