Security News > 2020 > January > Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea

Patting itself on its back for motivating software makers to fix 97.7 per cent of the vulnerabilities it identifies within its 90-day disclosure deadline, Google's bug-hunting unit Project Zero has decided to ease up on those racing to patch their flawed products.

As a result of the amended policy, vulnerability details will remain undisclosed for a longer period of time, giving developers enough time to fix their code, and netizens to test and install the patches, before Googlers make technical details and proof-of-concept exploits public for all to see.

In either case, of course, you're racing against malware developers who are poring over your security patch, as soon as it is released, to find a way to attack unpatched users - though bear in mind, when Google goes public, it typically posts proof-of-concept exploit code, taking care of most of that effort for miscreants.

In a blog post on Tuesday, Tim Willis, Project Zero manager, explained that the policy tweak is intended to encourage more thorough patch development and better patch adoption, while maintaining the policy's original goal of driving faster patch development.

In other words, Project Zero researchers hope the consistent 90-day revelation time will give vendors' security engineers more time after a patch is initially developed to ensure it covers minor exploit changes that could bypass code repairs.

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/07/google_project_zero/