Google announced its Project Zero initiative in the middle part of last year, and now the Mountain View company is making some amendments to the rules for disclosure of bugs it finds in vendors’ software. There has been a 90-day deadline in place since the launch of the program, and that seems to be working well according to a post on the Project Zero blog, but the company says that it has taken into consideration “external feedback around some of the corner cases” and made some changes.
Google touts that companies have actually been really good about meeting the 90-day deadline, calling out Adobe specifically as having fixed all 37 Project Zero vulnerabilities within that time frame. Other companies haven’t managed to do so well, though, as 154 Project Zero vulnerabilities have been documented so far—with just about 85% of those being patched within 90 days.
One more notable case of a deadline being missed was Microsoft letting a Project Zero-discovered vulnerability slip out that gave lower-level Windows users access to administrator privileges. Google held fast to its word and published the vulnerability after the 90-day window. And Microsoft felt the heat and shipped a fix very soon after.
Apparently, though, Google has decided that it’s best to not be so harsh. The company says that it is now implementing a 14-day grace period, which will give vendors a chance to push a patch within 2 weeks after the deadline if they let Google know that one is scheduled…
Grace period. We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
“As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances,” Google said in the post. But it’s clear that the company’s “Don’t be evil” tagline is shining through a little bit with this announcement, as not only will vendors get a 14-day grace period from this point forward, but deadlines will be pushed to the next work day if they land on a holiday or weekend as well.