Google's Project Zero will now wait 90 days before disclosing some critical vulnerabilities

Google "G" logo
Google "G" logo (Image credit: Android Central)

What you need to know

  • Google is changing its Project Zero disclosure policy for 2020.
  • Google will no longer disclose vulnerabilities and bugs before the end of the 90-day period, allowing firms time for more thorough patching.
  • This is a 12-month policy trial with a re-evaluation period at the end of the year.

Google's Project Zero is undergoing a minor overhaul in 2020 — Google will trial a new change around its controversial vulnerability disclosure policy. The change already went into effect on New Year's Day.

In brief: going forward, Google will now offer a 90-day grace period for disclosures, regardless of when the bug was fixed. Previously, Google's policy was "90 days or when the bug is fixed," drawing ire from some companies at the seeming randomness of its disclosures. Now, Google aims to be a bit more consistent and to avoid even the appearance of impropriety.

Google's Tim Willis explained the team's thinking, saying:

We [...]like that the new policy will improve the consistency of our disclosure process, while also remaining simple and fair. For example, some vendors considered our determination of when a vulnerability was fixed as unpredictable, especially when working with more than one researcher on the team at a given time. They saw it as a barrier to working with us on larger problems, so we're going to remove the barrier and see if things improve. We hope this experiment will encourage vendors to be transparent with us, to share more data, build trust and improve collaboration.

The new change in priorities here was to ensure that patches are developed and disseminated as widely as possible before being reported to the public. Google says that it's seen companies simply "paper over the cracks" in an attempt to develop patches as quickly as possible. That still leaves the vulnerabilities exploitable in theory, and Google wants to avoid that possibility. Google expects "iterative and more thorough patching from vendors" with "root cause and variant analysis" now that firms have the full 90-day period available.

Google is trialing this change over the next 12 months, and it'll be interesting to see how other tech companies react to it. Google doesn't expect it to please everyone, but it certainly looks better than last year's policy at first glance.

Here's why Project Zero should be split from Google

Michael Allison