Share
The 30-day grace period is designed to speed up the rollout and adoption of patches
Google’s Project Zero team has announced that it will give vendors and companies an extra 30-day period before it discloses the technical details of a vulnerability.
“Starting today, we’re changing our Disclosure Policy to refocus on reducing the time it takes for vulnerabilities to get fixed, improving the current industry benchmarks on disclosure timeframes, as well as changing when we release technical details,” said Tim Willis, the senior security engineering manager of Google’s elite bug-hunting crew.
Previously, in line with the 2020 disclosure policy, vendors were afforded a 90-day cycle between the initial vulnerability was reported and until its details were publicly disclosed, with the public disclosure taking place regardless of whether the bug was fixed or not.
Google revises Disclosure Policy to help improve patch adoption
Events
About
If you already have an account please use the link below to sign in.
If you have any problems with your access or would like to request an individual access account please contact our customer service team.
Google revises Disclosure Policy to help improve patch adoption
Google s Project Zero will not share technical details of the bug for 30 days if a vendor fixes the vulnerability within a 90-day deadline
Google revises Disclosure Policy to help improve patch adoption
Google s Project Zero team has announced it is moving to a 90+30 model in its vulnerability disclosure policy, to help speed users adoption of patches.
April 16th, 2021
Rapeepong Puttakumwong via Getty Images
Google s Project Zero security team will wait an extra 30 days before disclosing vulnerability details so end-users have enough time to patch software, Google has announced. That means developers will still have 90 days to fix regular bugs (with a 14-day grace period if requested), but Google will wait an additional 30 days before disclosing the details publicly. For flaws being actively exploited in the wild (zero day), companies still have seven days to patch, with a three-day grace period on demand. However, Google will now wait 30 days before revealing the technical details.
Last year, Google allowed developers more time to fix bugs, hoping they would fix them quickly enough to allow end-users more time to patch. In practice however, we didn t observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical detail
minute read
Share this article:
The zero-day flaw research group has revised its disclosure of the technical details of vulnerabilities in the hopes of speeding up the release and adoption of fixes.
Google Project Zero will now give organizations a 30-day grace period to patch zero-day flaws it discovers in a new disclosure policy revealed this week aimed at speeding up the time it takes for patches to be adopted.
Known for discovering a number of high-profile zero days in Google’s own products as well as those found in rival Apple’s software Project Zero last year began revealing the technical details of flaws its researchers discovered 90 days after the initial vulnerability report.
Google has added an extra 30-day period to its vulnerability disclosure cycle to allow customers more time to fix vulnerabilities before technical details are released.
The tech giant’s Project Zero team is a prolific researcher of industry vulnerabilities, and maintains a strict 90-day policy of public vulnerability disclosure after vendor notification, in order to pressure firms to issue patches quicker.
“In practice however, we didn t observe a significant shift in patch development timelines,” explained manager Tim Willis yesterday. “And we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch. In other words, the implied timeline for patch adoption wasn t clearly understood.”