Googles Project Zero Policy Change Mandates 90-Day Disclosure

The updated disclosure policy aims to achieve more thorough and improved patch development, Google reports.

Googles Project Zero, a division focused on security research, today announced changes to its Disclosure Policy. All vulnerabilities will be released after 90 days by default regardless of when a bug is fixed, unless an agreement has been made between Project Zero and the vendor.
The 90-day disclosure deadline has existed for five years and accelerated patch development. When Project Zero began in 2014, some vulnerabilities took longer than six months to address. Last year, 97.7% of issues were addressed under the 90-day deadline. Still, the division recognizes there is progress to be made in patch development and vulnerability management.
Now it is trialing a new policy for bugs reported starting January 1, 2020. Project Zeros old guidelines allowed vulnerability details to be released when the bug was fixed, even if it was ahead of Day 90. Its new policy eliminates early disclosure: details will be released on Day 90 for all bugs. If there is mutual agreement between the vendor and Project Zero, bug reports can be released to the public under the 90-day timeline, researchers report in a blog post.
The goal is to provide a more consistent, and fair way to release patches, wrote Project Zeros Tim Willis in a blog post. While faster patch development remains a goal, the team is now placing equal focus on thorough patch development and broad adoption. It also hopes to create equity among vendors so no one company, including Google, gets preferential treatment.
Too many times, weve seen vendors patch reported vulnerabilities by papering over the cracks and not considering variants or addressing the root cause of a vulnerability, Willis explained. A focus on faster patch development may exacerbate this issue, he continued, enabling attackers to adjust their exploits and continue launching attacks.
Further, Willis pointed out, patches must be applied in order to be effective. To this end, improving timely patch adoption is important to ensure that users are actually acquiring the benefit from the bug being fixed. With the mandated 90-day window, the hope is that vendors should be able to offer updates and encourage more people to install fixes within 90 days.
Project Zero will test this policy for 12 months then consider whether to make it a long-term change. Read more details in the full blog post
here
.
Check out
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Car Hacking Hits the Streets

Last News
▸ Black Hat USA 2013, talk on NAND & Windows 8 Secure Boot hacking. ◂ Discovered: 26/12/2024 Category: security	▸ Security Talk: 7 Ways To Grab Users Attention ◂ Discovered: 26/12/2024 Category: security	▸ Gartner: Secure Mobile Users Early ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Googles Project Zero Policy Change Mandates 90-Day Disclosure