Google says it will start disclosing security issues much quicker than before
Project Zero is getting an important update

- Google's Project Zero gives vendors 90 days to fix a bug, and 30 days for patch adoption
- 'Upstream patch gap' means it takes too long for a patch to become available
- Reporting more details will encourage more transparency
Google has pledged to make updates to its Project Zero disclosure policy to report more security details quicker in an effort to improve security by enabling developers quicker access to the finer details of vulnerabilities.
Launched in 2021, Project Zero launched with a 90+30 policy – 90 days for vendors to fix a reported bug, and an additional 30 days for users to adopt the patch if it's fixed within the 90-day window.
However, since then, a so-called 'upstream patch gap' has emerged whereby the time between when a fix is available upstream and when it becomes available by downstream vendors is longer than ideal, extending the lifecycle of vulnerabilities.
Google's Project Zero will disclose even more infromation
A new trial policy will improve reporting transparency by disclosing the vendor or open-source project, the affected product, the date of the filed report and the 90-day disclosure deadline.
The changes were announced by the Project's Tim Willis, who explained: "For the end user, a vulnerability isn't fixed when a patch is released from Vendor A to Vendor B; it's only fixed when they download the update and install it on their device."
"By providing an early signal that a vulnerability has been reported upstream, we can better inform downstream dependents," Willis wrote.
Google hopes that the Project Zero update to include more details sooner will help the public track how long it takes between a vendor first making a patch available and that patch becoming available on the end device. Willis explained that an environment where transparency is normal and expected is the goal
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Willis stressed, "no technical details, proof-of-concept code, or information that we believe would materially assist discovery will be released," therefore earlier reporting won't give attackers the upper hand.
You might also like
- Google Gemini security flaw could have let anyone access systems or run code
- We've listed the best endpoint protection software
- Check out the best VPNs and best firewalls
With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.