Security News > 2021 > April > Google Project Zero Announces 2021 Updates to Vulnerability Disclosure Policy

Google Project Zero Announces 2021 Updates to Vulnerability Disclosure Policy
2021-04-16 10:47

Google's Project Zero cybersecurity research unit on Thursday announced that it's making some changes to its vulnerability disclosure policies, giving users 30 days to install patches before disclosing the technical details of a flaw.

Project Zero has announced three major changes to its vulnerability disclosure policy in 2021, compared to 2020.

For 2021, the disclosure deadline of 90 days remains unchanged, but if the vulnerability is patched within that 90-day timeframe, technical details will only be made public 30 days after the release of a fix, to give users time to install the patch.

Until now, a vulnerability was disclosed immediately by Project Zero if a patch was released after the standard 90-day deadline but within the 14-day grace period.

Project Zero says the goals of its policies are faster patch development, thorough patch development, and improved patch adoption.

While the latest changes provide some advantages to users and vendors, Project Zero says it's aware that the 90+30 day policy will make it more difficult for defenders "To quickly perform their own risk assessment, prioritize patch deployment, test patch efficacy, quickly find variants, deploy available mitigations, and develop detection signatures."


News URL

http://feedproxy.google.com/~r/Securityweek/~3/D8enAnYiHas/google-project-zero-announces-2021-updates-vulnerability-disclosure-policy

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995