Google Project Zero shifts to full 90-day disclosures to improve patch uptake

Vendors to have 90 days to get patches right, under changes to Google Project Zero's disclosure policy.
Written by Chris Duckett, Contributor

Project Zero, Google's team of elite security researchers, has changed its disclosure policy to focus on allowing vendors to get patches for security issues right, and distributed to users.

Under the changes announced on Tuesday, unless a prior agreement exists, all vulnerabilities will be publicly disclosed after 90 days.

Previously, once a patch was developed for a vulnerability, a Project Zero researcher would make the issue on its bug tracker public.

"Too many times, we've seen vendors patch reported vulnerabilities by 'papering over the cracks' and not considering variants or addressing the root cause of a vulnerability," Project Zero manager Tim Willis wrote.

"One concern here is that our policy goal of 'faster patch development' may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss."

Willis added that vendors could ensure updates to patched versions are installed by users prior to disclosure.

"End user security doesn't improve when a bug is found, and it doesn't improve when a bug is fixed. It improves once the end user is aware of the bug and typically patches their device," he said.

The changes will simplify interaction with Project Zero and make it more consistent, the blog post said.

"Some vendors considered our determination of when a vulnerability was fixed as unpredictable, especially when working with more than one researcher on the team at a given time," Willis said.

"They saw it as a barrier to working with us on larger problems, so we're going to remove the barrier and see if things improve."

In August, Project Zero said almost 96% of vulnerabilities are fixed before the 90-day disclosure period is lifted. On Tuesday this number was updated to 97.7%.

Project Zero has only extended its 90-day deadline twice -- for the task_t iOS issue from 2016 and for the Meltdown and Spectre flaws revealed in 2018.

Related Coverage

Editorial standards