Google Project Zero testing 30-day grace period on bug details to boost user patching

After trying to get vendors to produce updates to fix vulnerabilities quicker, Project Zero is trying an explicit patch period.
Written by Chris Duckett, Contributor
Image: Getty Images

Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to gives users time to install patches before technical details are revealed.

The project is keeping its famous 90-day disclosure period intact for vulnerabilities that remain unpatched, however, if a patch appears within the disclosure period, the technical details will appear 30 days after the patch is released.

For in-the-wild exploits, disclosure will occur a week after notification, along with technical details if unfixed. If a patch is released in the 7-day notification window, the technical details will appear 30 days later. Vendors will now be able to ask for a 3-day grace period

In rare instances where Project Zero has granted vendors a fortnight's grace on disclosure, or a new 3-day period for in-the-wild exploits, that period will use up part of the 30-day grace on technical details.

Last year, Project Zero introduced a policy where it gave vendors a complete 90-day window before it disclosed exploits.

That shift was also made in an effort to boost user patching, but it was far from successful.

"The idea was if a vendor wanted more time for users to install a patch, they would prioritise shipping the fix earlier in the 90-day cycle rather than later," Project Zero manager Tim Willis wrote.

"In practice, however, we didn't observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch. In other words, the implied timeline for patch adoption wasn't clearly understood."

Willis said the new 90+30-day system will start to be dialled down in the future, but the policy would need to start with deadlines that can be met by vendors.

"Based on our current data tracking vulnerability patch times, it's likely that we can move to a '84+28' model for 2022 (having deadlines evenly divisible by seven significantly reduces the chance our deadlines fall on a weekend)," he said.

"Moving to a '90+30' model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks.

"Disclosure policy is a complex topic with many trade-offs to be made, and this wasn't an easy decision to make."

Related Coverage

Editorial standards