Google’s Project Zero security team will now wait 90 days to disclose any vulnerabilities they find
Project Zero is a security division employed by Google, which was founded in 2014. The team’s primary mission is to discover zero-day vulnerabilities – that is, vulnerabilities that are unknown (or unaddressed by) the party which should be interested in its mitigation. “Heartbleed” is one such zero-day exploit, which was privately reported by two separate security teams to OpenSSL. One of these security teams operated under Google and eventually led to the creation of Project Zero. The bug was discovered in April of 2014, a build of OpenSSL with the bug fixed was released a few days later along with full disclosure of the bug. This full disclosure meant that systems not updated immediately were at risk, though that generally serves as a motivation for developer teams to update their software.
Since then, Google’s Project Zero has worked in a similar manner. When a zero-day bug is discovered, the team privately reports it to whichever company owns the software. From the date of disclosure, the company has 90 days to fix the bug. If they fix it before the 90-day window is complete, Google will release details of the vulnerability. If the 90 days pass without it being fixed, the team will release the vulnerability anyway, which is intended to make users aware of the problems the software they are using may have, while also potentially motivating the company to work faster. There is one flaw that vendors perceive with this system, and just like with Heartbleed, it’s that users (or developers) may not be able to upgrade their systems fast enough before becoming a victim of exploitation. For this reason, the Project Zero team has announced that for the year, they are trialing waiting out the 90-days no matter how fast (or slow) the vulnerability is fixed.
Google’s policy of disclosing bugs in 7 days if they find evidence the bug is being exploited in the wild is unaffected. In the same blog post, the Project Zero team has also announced a number of other small changes. Google is also proud to announce that 97.7% of all issues that they discover are fixed within the 90-day window. You can read the full blog post below.
Source: Google Project Zero