Google’s Project Zero rolls out automatic 90-day disclosures

A raft of policy tweaks are aimed at instigating more thorough patch development and better patch adoption

Fake ladybug on a circuit board

The Project Zero security team has expanded disclosure for all bugs to a full 90 days after first being flagged, even if the bug has been fixed early, as part of a number of changes to its policies and objectives.

Previously, its security researchers would disclose a bug that’s been flagged after 90 days have elapsed, or when the bug was fixed, at their discretion. 

The Google-run team, however, is trialling 90-day disclosure by default, whether or not the bug has been fixed, unless a mutual agreement is reached between Project Zero and any vendor in concern.

Project Zero’s policy goals have also evolved beyond just ‘faster patch deployment’, to also encompass ‘thorough patch development’ and, among customers, ‘improved patch adoption’.

Extending the disclosure window to 90 days for bugs that have been fixed, meanwhile, will lead to incomplete fixes reported back, and compiled into the original bug report, as opposed to being filed under a new vulnerability. This was also previously done at the discretion of any particular researcher.

“We're constantly considering whether our policies are in the interest of user security, and we believe this change is a further step in the right direction,” said Project Zero manager Tim Willis. “We also think it's simple, consistent and fair.

“We want to make attacks using zero-day exploits more costly. We do this through the lens of offensive vulnerability research and evidence of how real attackers behave. 

“This involves discovering and reporting a large number of security vulnerabilities, and through our experience with this work, we realised that faster patch development and patch deployment were very important and areas for industry improvement.”

The team has been at the heart of a string of significant bug disclosures of varying severity over the last few years, including, for example, the disclosure in 2018 of a significant Edge browser bug that Microsoft didn't fix within the 90-day window.

Project Zero’s core principles also came under review, with the team prioritising simplicity, consistency and fairness to different vendors, where some don’t get preferential treatment over others.

Its two new core objectives, thorough patch deployment and improved adoption, meanwhile are being added in conjunction to the full extension of the 90-day window as there were concerns that some companies fixed bugs by simply “papering over the cracks”.

By extending the disclosure window to a full 90 days for all bugs, including fixed bugs, Project Zero is hoping that the aim of ‘faster patch deployment’ will no longer lead to compromise on quality if there’s no need to rush getting fixes out.

As a result of extending disclosure to 90 days, researchers are hoping to see more iterative and through patching practices from vendors, and also improve patch adoption since Project Zero is incentivising vendors to offer updates to a large population within 90 days.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021