UPDATED 19:46 EDT / JANUARY 08 2020

SECURITY

Google’s Project Zero will now wait 90 days before disclosing security vulnerabilities

Google LLC’s Project Zero security research team is changing its vulnerability disclosure policy to give software developers more time to patch any bugs it finds and ensure their users are protected.

The new policy, announced Tuesday, means Project Zero will wait a full 90 days before revealing any vulnerabilities, regardless of when the bug is actually fixed.

Previously, Project Zero would give software developers a 90-day window in which to patch any issues before it made the problem public. However, vulnerabilities would be disclosed earlier than that if a security patch was issued before the window expired. That could sometimes be problematic, though, since it meant that users would need to rush to install the patch before hackers can exploit the issue, and not everyone can do so in time.

So now, Project Zero will sit on any vulnerabilities it finds for the full 90 days after it makes the developer aware of the problem, even if a patch is issued earlier. The new policy will be tested for a year before Google decides to make it permanent or not.

There is some flexibility, though. In cases where there is a mutual agreement to disclose early, Project Zero may still do so. In addition, the security researchers said the 90-day window can also be extended by up to 14 days if developers request more time to complete a security patch.

Project Zero manager Tim Willis said in a blog post the new policy should improve consistency and give developers more certainty about when a vulnerability would be made public. He added that he also wants developers to use the extra time to issue more iterative and thorough security patches.

Despite the change to its disclosure policy, Willis said Project Zero is happy enough with how things have turned out so far. He noted that when Project Zero first launched in 2014, it would take up to six months for the majority of bugs it discovered to be patched. Now, 97.7% of vulnerabilities it discovers are patched within the 90-day window.

Constellation Research Inc. analyst Holger Mueller told SiliconANGLE that security and vulnerability challenges are the weak spot of the digital economy, and that Project Zero has done a great job in encouraging software vendors to fix these issues with urgency.

“Now Google is giving vendors 90 days to address these vulnerabilities, it’s striking a better balance between giving vendors a heads up and potential bad actors a view of the vulnerability,” Mueller said. “It’ll be interesting to see in what state the digital economy will be in 12 months later with  regards to exploits and vulnerabilities.”

Image: TBIT/Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU