Security News > 2020 > January > Google Project Zero Updates Vulnerability Disclosure Policy
Google's Project Zero has updated its vulnerability disclosure policy to keep bug reports closed for 90 days, regardless of whether a patch is out before the deadline or not.
The goal of this new policy, Google Project Zero's Tim Willis notes, goes beyond just attempting to speed up patching: thorough patch development and improved patch adoption are also a focus.
The 90-day vulnerability disclosure policy was adopted to ensure that patches are released fast, so that users are protected from potential attacks.
Joseph Carson, chief security scientist at Thycotic, told SecurityWeek in an emailed comment, "Project Zero is right to make this change as public disclosures tend to set the race to create exploits for vulnerabilities which can cause bigger problems for customers. However, in my opinion, responsible disclosure should not be just based on the actual vulnerability but the actual risk, as not all vulnerabilities are equal."
Carson continued, "Sometimes we focus too much on the vendor rather than the customer; responsible disclosure should be prioritizing that customers are notified of a vulnerability with the intention of reducing the risks by either making the vulnerability public so they are aware that a risk exists, applying hardening to reduce the risks or applying a vendor patch. Difficulty to patch systems should also be taken into consideration as even with public vulnerability disclosures most systems remain unpatched for much longer even years. Responsible disclosure is too broad today and needs to really put the customer first."