Google Project Zero implements new vulnerability disclosure policies

Through a statement, Google Project Zero revealed that organizations will now be granted a 30-day period to fix zero-day flaws that are discovered seeking to speed up time for the release of security patches. It should be remembered that the grace period set out above was 90 days after the initial report.

This specialized research unit notes that the publication of the technical details of the corrected flaws will be delayed up to 30 days after the release of the initial patch: “Vendors will have 90 days to develop the corresponding updates and an additional 30 days for the patch deployment,” the report notes.

This model, identified as “90+30”, will allow developers to “remove the link between patch time and patch adoption time, as well as reduce the debate about attacker/defender compensation and disclosure of technical details when vulnerable systems have not been updated,” project zero’s report notes.

It should be noted that the technical details of non patched vulnerabilities during the 90-day period after their discovery will still be published immediately after the end of that grace period. Project Zero is also applying a policy similar to exploits detected in real-world scenarios.

Under the new disclosure plan, if a patch is released during the seven-day reporting period, researchers will not disclose the technical details until 30 days later. On the other hand, suppliers whose products are affected by reported flaws may request a three-day grace period before Project Zero discloses the technical details for the operation.

Vulnerability management and patching have long were a difficult task, especially for larger organizations that have trouble keeping up with the emergence of each new found security flaw.

Even for consumer-facing businesses like Microsoft, Google, and Apple, patching isn’t always as easy as vendors expect. Sometimes it’s because customers don’t enable automatic device updates, leaving them non-patched for longer than they should, although sometimes it’s the companies themselves that are responsible for a gap between discovering a critical vulnerability and an available patch. Google Project Zero believes this will positively impact the final user experience, so the changes will be implemented immediately.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.