Google’s Project Zero is changing its vulnerability disclosure timeline to give time for fixes to roll out
Google’s Project Zero team is announcing some big changes to how it discloses security vulnerabilities to the public. Since its launch, Project Zero has followed a strict 90-day disclosure deadline. What this means is when a vulnerability is found, Project Zero will wait 90 days before publicly documenting the technical details. This allows vendors to patch the flaw in their software before attackers can exploit it.
Project Zero is now trialing a new model for 2021 that will grant OEMs an additional month to roll out patches to the affected users. Earlier, the technical documentation of a vulnerability happened as soon as the 90-day deadline lapsed — regardless of whether a patch was issued or not. In the new model, if an OEM fixes the issue within the 90-day period, the technical documentation will happen 30 days after the fix.
Google says the new 90+30 policy aims to make the patch adoption an explicit part of the disclosure program. Vendors will have 90 days to develop the patch and 30 days to roll out the fix to their users.
“Moving to a “90+30” model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” said Project Zero manager Tim Willis in a blog post.
In-the-wild vulnerabilities, which are actively being exploited, will still be given a 7-day disclosure deadline. But now, if an issue gets patched within 7 days, Google will publish the technical details 30 days after the fix. Earlier, Google would publish the details on the 7th day regardless of when the issue was fixed. Moreover, vendors can now also request a 3-day grace period for vulnerabilities of this nature, which wasn’t offered before.
Project Zero team acknowledges that this new policy is a slight regression from their earlier stance, which prioritized rapidly releasing technical details to the public. However, the team notes that this relaxed policy won’t be sticking around too long as they will be looking to shorten the disclosure deadline in the near future. The team hinted that for 2022, they would likely be moving to an 84+28 model.