Google's Project Zero has revealed that it will be trialing a new policy where the security team will give companies a full 90 days before disclosing issues in their systems or software.
The search giant's team of security analysts is well regarded for discovering major vulnerabilities but it has received criticism from others in the industry for its relatively fast disclosure times. The new disclosure policy aims to fix this while also holding companies more accountable for how they patch security issues.
The manager of Project Zero at Google, Tim Willis explained in a blog post that while the team may be making changes to its disclosure policy, it has yielded impressive results over the last five years, saying:
- New Android zero-day affects millions of devices
- iMessage security flaws uncovered - here's what you need to know
- New vBulletin zero-day could infect thousands of sites worldwide
“We're very happy with how well our disclosure policy has worked over the past five years. We've seen some big improvements to how quickly vendors patch serious vulnerabilities, and now 97.7% of our vulnerability reports are fixed within our 90 day disclosure policy.”
Disclosure policy changes
After reviewing its topic disclosure policy, Project Zero has announced that it will be making some changes in 2020 including that fact that all companies will be given a “full 90 days by default, regardless of when the bug is fixed”. However, if there is an agreement between a vendor and Project Zero, bug reports can be published before the 90 day deadline is up.
Google's security team will also now work to encourage companies to create patches that are more thorough and to improve adoption within the 90 day period. In the past, Project Zero's goal of “faster patch development” may have led vendors to patch vulnerabilities by “papering over the cracks” without addressing the root cause of a vulnerability and the changes to its disclosure policy aim to rectify this.
Project Zero also intends to work to improve timely patch adoption so that end users can actually benefit from bugs being fixed.
Google plans to trial the new policy for 12 months before it decides whether to “change it long term”.
- We've also highlighted the best antivirus software