IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google’s Project Zero rolls out automatic 90-day disclosures

A raft of policy tweaks are aimed at instigating more thorough patch development and better patch adoption

Fake ladybug on a circuit board

The Project Zero security team has expanded disclosure for all bugs to a full 90 days after first being flagged, even if the bug has been fixed early, as part of a number of changes to its policies and objectives.

Previously, its security researchers would disclose a bug that’s been flagged after 90 days have elapsed, or when the bug was fixed, at their discretion. 

The Google-run team, however, is trialling 90-day disclosure by default, whether or not the bug has been fixed, unless a mutual agreement is reached between Project Zero and any vendor in concern.

Project Zero’s policy goals have also evolved beyond just ‘faster patch deployment’, to also encompass ‘thorough patch development’ and, among customers, ‘improved patch adoption’.

Extending the disclosure window to 90 days for bugs that have been fixed, meanwhile, will lead to incomplete fixes reported back, and compiled into the original bug report, as opposed to being filed under a new vulnerability. This was also previously done at the discretion of any particular researcher.

“We're constantly considering whether our policies are in the interest of user security, and we believe this change is a further step in the right direction,” said Project Zero manager Tim Willis. “We also think it's simple, consistent and fair.

“We want to make attacks using zero-day exploits more costly. We do this through the lens of offensive vulnerability research and evidence of how real attackers behave. 

“This involves discovering and reporting a large number of security vulnerabilities, and through our experience with this work, we realised that faster patch development and patch deployment were very important and areas for industry improvement.”

The team has been at the heart of a string of significant bug disclosures of varying severity over the last few years, including, for example, the disclosure in 2018 of a significant Edge browser bug that Microsoft didn't fix within the 90-day window.

Project Zero’s core principles also came under review, with the team prioritising simplicity, consistency and fairness to different vendors, where some don’t get preferential treatment over others.

Its two new core objectives, thorough patch deployment and improved adoption, meanwhile are being added in conjunction to the full extension of the 90-day window as there were concerns that some companies fixed bugs by simply “papering over the cracks”.

By extending the disclosure window to a full 90 days for all bugs, including fixed bugs, Project Zero is hoping that the aim of ‘faster patch deployment’ will no longer lead to compromise on quality if there’s no need to rush getting fixes out.

As a result of extending disclosure to 90 days, researchers are hoping to see more iterative and through patching practices from vendors, and also improve patch adoption since Project Zero is incentivising vendors to offer updates to a large population within 90 days.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022