Google says it will start disclosing security issues much quicker than before

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)

  • Google's Project Zero gives vendors 90 days to fix a bug, and 30 days for patch adoption
  • 'Upstream patch gap' means it takes too long for a patch to become available
  • Reporting more details will encourage more transparency

Google has pledged to make updates to its Project Zero disclosure policy to report more security details quicker in an effort to improve security by enabling developers quicker access to the finer details of vulnerabilities.

Launched in 2021, Project Zero launched with a 90+30 policy – 90 days for vendors to fix a reported bug, and an additional 30 days for users to adopt the patch if it's fixed within the 90-day window.

However, since then, a so-called 'upstream patch gap' has emerged whereby the time between when a fix is available upstream and when it becomes available by downstream vendors is longer than ideal, extending the lifecycle of vulnerabilities.

Google's Project Zero will disclose even more infromation

A new trial policy will improve reporting transparency by disclosing the vendor or open-source project, the affected product, the date of the filed report and the 90-day disclosure deadline.

The changes were announced by the Project's Tim Willis, who explained: "For the end user, a vulnerability isn't fixed when a patch is released from Vendor A to Vendor B; it's only fixed when they download the update and install it on their device."

"By providing an early signal that a vulnerability has been reported upstream, we can better inform downstream dependents," Willis wrote.

Google hopes that the Project Zero update to include more details sooner will help the public track how long it takes between a vendor first making a patch available and that patch becoming available on the end device. Willis explained that an environment where transparency is normal and expected is the goal

Willis stressed, "no technical details, proof-of-concept code, or information that we believe would materially assist discovery will be released," therefore earlier reporting won't give attackers the upper hand.

You might also like

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.