Google has tweaked its Project Zero bug posting rules, meaning public holidays aren't included in the 90 days before the search giant reveals them and companies will have a 14-day 'grace period' to fix vulnerabilities after the 90-day cut off.
The changes come after the company received complaints from Microsoft and Apple when it publicly exposed bugs in Mac OS and Windows, without giving the companies enough time to fix them.
Google said on its advisory: "If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.
"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (two weeks plus)."
Google's Project Zero seeks to find vulnerabilities in software that could affect millions of people to protect them against security risks triggered by flaws.
Google used the example of a flaw uncovered in Adobe Flash, which has a massive install base and should the bug not have been fixed within the 90 days, it could have caused devastating effects. "To date, [the Adobe team] have fixed 37 Project Zero vulnerabilities (or 100 percent) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85 percent were fixed within 90 days," Google said.
"Furthermore, recent well-discussed deadline misses were typically fixed very quickly after 90 days. Looking ahead, we're not going to have any deadline misses for at least the rest of February. Deadlines appear to be working to improve patch times and user security, especially when enforced consistently."
