Google’s Project Zero, a team of dedicated security engineers tasked with decreasing the amount of”zero day” vulnerabilities around the entire net, says it will give developers an extra 30 days before disclosing vulnerability issues, so as to provide end-users time to patch their applications.
Developers will still have 90 days to fix bugs, but Project Zero will wait another 30 times before it reveals the details of the bug publicly. If a flaw is being actively exploited in the wild, a company will have seven days to issue a patch, and also a three-day grace period if requested. However, Google Project Zero will wait 30 times until it discloses technical particulars.
In 2020, Google announced a trial to allow developers 90 days to operate on patch adoption and development, with the idea that when a dev needed more time to permit users to install a patch, they’d ship the repairs premature from the 90-day period. “In practice however, we didn’t observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch,” Project Zero’s Tim Willis wrote in the blog article. “In other words, the implied timeline for patch adoption wasn’t clearly understood.”
The objective of this 2021 update, Willis wrote, is to make the patch adoption deadline an inseparable portion of its vulnerability disclosure policy. “This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive,” he wrote. “Our preference is to choose a starting point that may be consistently met by the majority of vendors, and then gradually lower both patch growth and patch adoption timelines.