Google's Project Zero bug reporting rules softened

The company will now not include public holidays on the countdown and will offer a 14-day grace period

Security bugs

Google has tweaked its Project Zero bug posting rules, meaning public holidays aren't included in the 90 days before the search giant reveals them and companies will have a 14-day 'grace period' to fix vulnerabilities after the 90-day cut off.

The changes come after the company received complaints from Microsoft and Apple when it publicly exposed bugs in Mac OS and Windows, without giving the companies enough time to fix them.

Google said on its advisory: "If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.

"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (two weeks plus)."

Google's Project Zero seeks to find vulnerabilities in software that could affect millions of people to protect them against security risks triggered by flaws.

Google used the example of a flaw uncovered in Adobe Flash, which has a massive install base and should the bug not have been fixed within the 90 days, it could have caused devastating effects. "To date, [the Adobe team] have fixed 37 Project Zero vulnerabilities (or 100 percent) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85 percent were fixed within 90 days," Google said.

"Furthermore, recent well-discussed deadline misses were typically fixed very quickly after 90 days. Looking ahead, we're not going to have any deadline misses for at least the rest of February. Deadlines appear to be working to improve patch times and user security, especially when enforced consistently."

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

Google Drive vs Microsoft OneDrive head-to-head review
cloud storage

Google Drive vs Microsoft OneDrive head-to-head review

12 Aug 2020
The House of Lords will never bring tech giants to book
IT regulation

The House of Lords will never bring tech giants to book

8 Aug 2020
Google Cloud and Orange team up on AI and cloud computing
cloud computing

Google Cloud and Orange team up on AI and cloud computing

28 Jul 2020
Google to build subsea data cable linking the UK, US and Spain
Network & Internet

Google to build subsea data cable linking the UK, US and Spain

28 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020