Source: Android Central
What you need to know
- Google is changing its Project Zero disclosure policy for 2020.
- Google will no longer disclose vulnerabilities and bugs before the end of the 90-day period, allowing firms time for more thorough patching.
- This is a 12-month policy trial with a re-evaluation period at the end of the year.
Google's Project Zero is undergoing a minor overhaul in 2020 — Google will trial a new change around its controversial vulnerability disclosure policy. The change already went into effect on New Year's Day.
In brief: going forward, Google will now offer a 90-day grace period for disclosures, regardless of when the bug was fixed. Previously, Google's policy was "90 days or when the bug is fixed," drawing ire from some companies at the seeming randomness of its disclosures. Now, Google aims to be a bit more consistent and to avoid even the appearance of impropriety.
Google's Tim Willis explained the team's thinking, saying:
We [...]like that the new policy will improve the consistency of our disclosure process, while also remaining simple and fair. For example, some vendors considered our determination of when a vulnerability was fixed as unpredictable, especially when working with more than one researcher on the team at a given time. They saw it as a barrier to working with us on larger problems, so we're going to remove the barrier and see if things improve. We hope this experiment will encourage vendors to be transparent with us, to share more data, build trust and improve collaboration.
The new change in priorities here was to ensure that patches are developed and disseminated as widely as possible before being reported to the public. Google says that it's seen companies simply "paper over the cracks" in an attempt to develop patches as quickly as possible. That still leaves the vulnerabilities exploitable in theory, and Google wants to avoid that possibility. Google expects "iterative and more thorough patching from vendors" with "root cause and variant analysis" now that firms have the full 90-day period available.
Google is trialing this change over the next 12 months, and it'll be interesting to see how other tech companies react to it. Google doesn't expect it to please everyone, but it certainly looks better than last year's policy at first glance.
Here's why Project Zero should be split from Google
Pixel Pass could beat Apple One, but doesn't play to Google's strengths
We should learn more about Google's new subscription bundle / phone upgrade combo package during the Pixel 6 event. It should be a pretty great deal that competes with the best Apple has to offer, but Google probably should have done things differently.
Lenovo Chromebook Flex 5i review: The best Chromebook's shadow clone
You could be forgiven for looking at the Lenovo Chromebook Flex 5i and mistaking it for the most popular and best-valued Chromebook on the market today. The Flex 5i has very few differences this year, which makes it a solid laptop — that you probably shouldn’t buy right now.
Want to live again? Well hurry up, you've only got 7Days!
7Days! is a tense text-based adventure game through life and death. Kirell's soul hangs on the razor's edge between life and death. If she can complete a special task given to her by Charon within seven days, then she can be resurrected. How far will she go to live again? That's up to you!
Protect the inside of your home with these indoor security cameras
Home security is a topic people are paying ever more attention to these days, and we've got a round-up of the best indoor security cameras on the market today to help you secure your home.