20.4.21

Google’s Project Zero to wait longer before disclosing bug details



The 30-day grace period is designed to speed up the rollout and adoption of patches

Amer Owaida

Google’s Project Zero team has announced that it will give vendors and companies an extra 30-day period before it discloses the technical details of a vulnerability.

“Starting today, we’re changing our Disclosure Policy to refocus on reducing the time it takes for vulnerabilities to get fixed, improving the current industry benchmarks on disclosure timeframes, as well as changing when we release technical details,” said Tim Willis, the senior security engineering manager of Google’s elite bug-hunting crew.

Previously, in line with the 2020 disclosure policy, vendors were afforded a 90-day cycle between the initial vulnerability was reported and until its details were publicly disclosed, with the public disclosure taking place regardless of whether the bug was fixed or not.

However, according to its new vulnerability disclosure policy, developers will still have 90 days to fix the vulnerability. However, Project Zero will give them another 30 days before it publishes details about the flaw, as long as the bug is fixed within that period. The ultimate aim is also to give users enough time to patch their systems.

Longer to patch

The new disclosure policy also affects vulnerabilities that are actively exploited in the wild. While previously these flaws were automatically disclosed seven days after they were reported, vendors can now request a three-day grace period. If the bug is fixed within seven days, Project Zero will wait 30 days before it reveals technical details about the security flaw.

The main idea behind the 2020 policy was that vendors who wanted to give users more time to patch their systems would focus on shipping the fixes earlier in the 90-day cycle. However, as Willis pointed out, that wasn’t the case, saying that Project Zero “didn’t observe a significant shift in patch development timelines”.

“The goal of our 2021 policy update is to make the patch adoption timeline an explicit part of our vulnerability disclosure policy. Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption,” he added.

The new model was adopted due to fears that transitioning to a 60+30 policy would be considered too quick and disruptive. But in the future, Google anticipates that it will be able to steadily lower the patch development and adoption timelines for vendors.

“Moving to a “90+30” model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” Willis concluded. Project Zero is known for a number of high-profile disclosures; a few months ago, the team reported multiple zero-days affecting ChromeWindows and Apple.