Security News > 2020 > January > Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy

The more notable part of the announcement is Project Zero's decision to wait to disclose bug details until 90 days elapses, even if a patch becomes available before then.

"For the last five years, the team has used its vulnerability disclosure policy to focus on one primary goal: Faster patch development," explained Willis, in a posting on Tuesday on the policy changes.

"Project Zero's policy and disclosure update is a solid concession given the amount of time it can take to get a security patch fully deployed to users, even when a vendor fixes the bug quickly," he said.

"The right kind of pressure can be a good thing when it comes to vulnerability finds and fixes, and this is what Google is trying to optimize through its policy. Creating efficient patch developments, but avoiding hasty rollouts, is Project Zero's goal, and Google is moving the industry forward with this policy by motivating developers to prioritize security. The policy's delayed disclosure notice is a smart move - It relieves the incentive to rush patch development into the wild, which in turn reduces the potential for poor security outcomes as a product of their research."

A 90-day disclosure deadline at Project Zero has been in place for a while, meaning that if an affected vendor doesn't fix a vulnerability by then or ask for more time, details will be released at 90 days, regardless.

News URL

https://threatpost.com/google-ditches-patch-disclosure-90-day-policy/151626/