Defensive Google backs down on security disclosure procedures

Google Project Zero
Google Project Zero deadline changed

Google has moved to relax the tight 90-day disclosure deadline its Project Zero team applies to security vulnerabilities after getting a fair amount of slack following an incident with Microsoft.

A blog post from the team announced that there is a new 14-day grace period for vulnerabilities, deadlines that fall on weekends will automatically be pushed forward to the next working day, and the assignment of CVEs has been adjusted.

The grace period means that any company notified by Project Zero of a vulnerability will have up to 104 days to actually release a fix, just so long as the firm involved acknowledges that a fix will be released in that timeframe.

How does it compare?

It comes after Google's crack team of security engineers that work under the Project Zero moniker came in for a raft of criticism after details of a Microsoft vulnerability were disclosed just a couple of days before Patch Tuesday, when the latter was planning to roll out a patch to fix it.

The blog went on defend the 90-day disclosure rule by explaining that they compare well to CERT's 45-day disclosure policy and Yahoo's 90-day rule. Project Zero started working to crack down on "zero day" vulnerabilities in July 2014 and to date of the 154 bugs it has identified, 85 percent were fixed within the 90-day time period.

Via: Google