Google's Project Zero bug reporting rules softened
The company will now not include public holidays on the countdown and will offer a 14-day grace period
Google has tweaked its Project Zero bug posting rules, meaning public holidays aren't included in the 90 days before the search giant reveals them and companies will have a 14-day 'grace period' to fix vulnerabilities after the 90-day cut off.
The changes come after the company received complaints from Microsoft and Apple when it publicly exposed bugs in Mac OS and Windows, without giving the companies enough time to fix them.
Google said on its advisory: "If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.
"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (two weeks plus)."
Google's Project Zero seeks to find vulnerabilities in software that could affect millions of people to protect them against security risks triggered by flaws.
Google used the example of a flaw uncovered in Adobe Flash, which has a massive install base and should the bug not have been fixed within the 90 days, it could have caused devastating effects. "To date, [the Adobe team] have fixed 37 Project Zero vulnerabilities (or 100 percent) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85 percent were fixed within 90 days," Google said.
"Furthermore, recent well-discussed deadline misses were typically fixed very quickly after 90 days. Looking ahead, we're not going to have any deadline misses for at least the rest of February. Deadlines appear to be working to improve patch times and user security, especially when enforced consistently."
Key considerations for implementing secure telework at scale
Identifying the security risks and advanced requirements of a remote workforceDownload now
The State of Salesforce 2020
Your guide to getting the most from SalesforceDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Rethink your cybersecurity strategy for the new world
5 steps to secure the enterprise and be fit for a flexible futureDownload now