Project Zero is widely regarded for finding major vulnerabilities, but criticized by industry peers for their relatively fast disclosure times. For 2020, the security team is trialing a new policy where a full 90 days will be given before disclosing issues.
Google is “happy with how well [its] disclosure policy has worked over the past five years,” noting that 97.7% of vulnerability reports are fixed within the current 90-day disclosure policy. For comparison, some issues in 2014 were taking six or more months to patch.
After reviewing the “complex and often controversial” topic disclosure policy, there will be a change in 2020. Prone companies will be given a “full 90 days by default, regardless of when the bug is fixed.” If there is agreement between a vendor and Project Zero, bug reports can be published earlier.
- Fix a bug in 20 days? We will release all details on Day 90.
- Fix a bug in 90 days? We will release all details on Day 90.
Instead of just striving for “faster patch development,” Project Zero now wants to encourage thorough patches and improved adoption within those 90 days.
Faster patch development (existing): We want vendors to develop patches quickly and have processes in place to get them into the hands of end users. We will continue to pursue this with urgency.
Thorough patch development (new): Too many times, we’ve seen vendors patch reported vulnerabilities by “papering over the cracks” and not considering variants or addressing the root cause of a vulnerability. One concern here is that our policy goal of “faster patch development” may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss.
Improved patch adoption (new): End user security doesn’t improve when a bug is found, and it doesn’t improve when a bug is fixed. It improves once the end user is aware of the bug and typically patches their device. To this end, improving timely patch adoption is important to ensure that users are actually acquiring the benefit from the bug being fixed.
This new policy will be trialed for 12 months before Google decides whether to “change it long-term.”
FTC: We use income earning auto affiliate links. More.