Skip to main content

Google Project Zero changes rules on revealing cyberattacks

(Image credit:

Google's Project Zero has revealed that it will be trialing a new policy where the security team will give companies a full 90 days before disclosing issues in their systems or software.

The search giant's team of security analysts is well regarded for discovering major vulnerabilities but it has received criticism from others in the industry for its relatively fast disclosure times. The new disclosure policy aims to fix this while also holding companies more accountable for how they patch security issues.

The manager of Project Zero at Google, Tim Willis explained in a blog post that while the team may be making changes to its disclosure policy, it has yielded impressive results over the last five years, saying:

“We're very happy with how well our disclosure policy has worked over the past five years. We've seen some big improvements to how quickly vendors patch serious vulnerabilities, and now 97.7% of our vulnerability reports are fixed within our 90 day disclosure policy.”

Disclosure policy changes

After reviewing its topic disclosure policy, Project Zero has announced that it will be making some changes in 2020 including that fact that all companies will be given a “full 90 days by default, regardless of when the bug is fixed”. However, if there is an agreement between a vendor and Project Zero, bug reports can be published before the 90 day deadline is up.

Google's security team will also now work to encourage companies to create patches that are more thorough and to improve adoption within the 90 day period. In the past, Project Zero's goal of “faster patch development” may have led vendors to patch vulnerabilities by “papering over the cracks” without addressing the root cause of a vulnerability and the changes to its disclosure policy aim to rectify this.

Project Zero also intends to work to improve timely patch adoption so that end users can actually benefit from bugs being fixed.

Google plans to trial the new policy for 12 months before it decides whether to “change it long term”.

Via 9to5Google

Anthony Spadafora

After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal and TechRadar. He has been a tech enthusiast for as long as he can remember and has spent countless hours researching and tinkering with PCs, mobile phones and game consoles.