Google Project Zero changes rules on revealing cyberattacks

(Image credit: Shutterstock.com)

Google's Project Zero has revealed that it will be trialing a new policy where the security team will give companies a full 90 days before disclosing issues in their systems or software.

The search giant's team of security analysts is well regarded for discovering major vulnerabilities but it has received criticism from others in the industry for its relatively fast disclosure times. The new disclosure policy aims to fix this while also holding companies more accountable for how they patch security issues.

The manager of Project Zero at Google, Tim Willis explained in a blog post that while the team may be making changes to its disclosure policy, it has yielded impressive results over the last five years, saying:

“We're very happy with how well our disclosure policy has worked over the past five years. We've seen some big improvements to how quickly vendors patch serious vulnerabilities, and now 97.7% of our vulnerability reports are fixed within our 90 day disclosure policy.”

Disclosure policy changes

After reviewing its topic disclosure policy, Project Zero has announced that it will be making some changes in 2020 including that fact that all companies will be given a “full 90 days by default, regardless of when the bug is fixed”. However, if there is an agreement between a vendor and Project Zero, bug reports can be published before the 90 day deadline is up.

Google's security team will also now work to encourage companies to create patches that are more thorough and to improve adoption within the 90 day period. In the past, Project Zero's goal of “faster patch development” may have led vendors to patch vulnerabilities by “papering over the cracks” without addressing the root cause of a vulnerability and the changes to its disclosure policy aim to rectify this.

Project Zero also intends to work to improve timely patch adoption so that end users can actually benefit from bugs being fixed.

Google plans to trial the new policy for 12 months before it decides whether to “change it long term”.

Via 9to5Google

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.