Security News > 2021 > April > Google Project Zero Cuts Bug Disclosure Timeline to a 30-Day Grace Period

Google Project Zero Cuts Bug Disclosure Timeline to a 30-Day Grace Period
2021-04-16 12:57

Google Project Zero will now give organizations a 30-day grace period to patch zero-day flaws it discovers in a new disclosure policy revealed this week aimed at speeding up the time it takes for patches to be adopted.

Now research group is changing this tactic slightly, saying it will delay disclosure of the technical details of the vulnerability until 30 days after a patch is issued if that patch is created within the 90-day period, according to a blog post by Project Zero's Tim Willis posted Thursday.

Under the new disclosure timeline, if a patch is released during the seven-day notification period, researchers won't release technical details until 30 days later, according to the post.

When Project Zero introduced the 90-day disclosure policy last year, it aimed to balance three goals- faster patch development that shortened the time between a bug report and a fix being available for users; thorough patch development that ensured each fix is correct and comprehensive; and improved patch adoption that shortened the time between a patch being released and users installing it, Willis said.

The project didn't see " a significant shift in patch development timelines" that it had hoped for with its 2020 disclosure policies, he explained.

To nudge this effort along even further, Project Zero said it will shorten the 90-day disclosure deadline "In the near future" to reduce that time it takes to patch a flaw as well as speed up patch adoption "Over the coming years until a steady state is reached," Willis wrote.


News URL

https://threatpost.com/google-project-zero-cuts-bug-disclosure-timeline-to-a-30-day-grace-period/165432/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995