Security News > 2021 > April > Google Project Zero Announces 2021 Updates to Vulnerability Disclosure Policy
Google's Project Zero cybersecurity research unit on Thursday announced that it's making some changes to its vulnerability disclosure policies, giving users 30 days to install patches before disclosing the technical details of a flaw.
Project Zero has announced three major changes to its vulnerability disclosure policy in 2021, compared to 2020.
For 2021, the disclosure deadline of 90 days remains unchanged, but if the vulnerability is patched within that 90-day timeframe, technical details will only be made public 30 days after the release of a fix, to give users time to install the patch.
Until now, a vulnerability was disclosed immediately by Project Zero if a patch was released after the standard 90-day deadline but within the 14-day grace period.
Project Zero says the goals of its policies are faster patch development, thorough patch development, and improved patch adoption.
While the latest changes provide some advantages to users and vendors, Project Zero says it's aware that the 90+30 day policy will make it more difficult for defenders "To quickly perform their own risk assessment, prioritize patch deployment, test patch efficacy, quickly find variants, deploy available mitigations, and develop detection signatures."
News URL
Related news
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System (source)
- Google patches actively exploited Android vulnerability (CVE-2024-43093) (source)
- Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability (source)