Source: Android Central
What you need to know
- Google is changing its Project Zero disclosure policy for 2020.
- Google will no longer disclose vulnerabilities and bugs before the end of the 90-day period, allowing firms time for more thorough patching.
- This is a 12-month policy trial with a re-evaluation period at the end of the year.
Google's Project Zero is undergoing a minor overhaul in 2020 — Google will trial a new change around its controversial vulnerability disclosure policy. The change already went into effect on New Year's Day.
In brief: going forward, Google will now offer a 90-day grace period for disclosures, regardless of when the bug was fixed. Previously, Google's policy was "90 days or when the bug is fixed," drawing ire from some companies at the seeming randomness of its disclosures. Now, Google aims to be a bit more consistent and to avoid even the appearance of impropriety.
Google's Tim Willis explained the team's thinking, saying:
We [...]like that the new policy will improve the consistency of our disclosure process, while also remaining simple and fair. For example, some vendors considered our determination of when a vulnerability was fixed as unpredictable, especially when working with more than one researcher on the team at a given time. They saw it as a barrier to working with us on larger problems, so we're going to remove the barrier and see if things improve. We hope this experiment will encourage vendors to be transparent with us, to share more data, build trust and improve collaboration.
The new change in priorities here was to ensure that patches are developed and disseminated as widely as possible before being reported to the public. Google says that it's seen companies simply "paper over the cracks" in an attempt to develop patches as quickly as possible. That still leaves the vulnerabilities exploitable in theory, and Google wants to avoid that possibility. Google expects "iterative and more thorough patching from vendors" with "root cause and variant analysis" now that firms have the full 90-day period available.
Google is trialing this change over the next 12 months, and it'll be interesting to see how other tech companies react to it. Google doesn't expect it to please everyone, but it certainly looks better than last year's policy at first glance.
Here's why Project Zero should be split from Google
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.
We may earn a commission for purchases using our links. Learn more.
Google Pixel 5: Everything you need to know before buying
It's here. The Google Pixel 5. From the specs, pricing, release date, and more, here's literally everything you need to know!
Review: OPPO Reno 5 Pro 5G is the upgrade you're looking for
The Reno 5 Pro 5G is here, and it delivers a great overall package in the mid-range segment. With a sleek 7.6mm chassis along with a gorgeous 90Hz AMOLED screen, powerful hardware in the form of Dimensity 1000+, 65W fast charging, and Android 11 out of the box, the Reno 5 Pro 5G ticks all the right boxes.
The Galaxy S21 Series Report Card: A winning price with some odd holdovers
Samsung's latest flagship launched this week, and while there is an awful lot to love in the Galaxy S21, S21+, and S21 Ultra, no product is perfect. Here's where the S21 strikes gold and where it just struck dirt.
Block ads, trackers and even some malware with the best Chrome ad blockers
Pop-ups, banners and video ads are at the very least annoying, but many also harbor malware. Here are some ad blockers to help cut through the noise.