Vendors will now have more time to patch their flaws

Feb 14, 2015 07:55 GMT  ·  By

Google's Project Zero team had to deal with waves of criticism in the last few months, after their security program revealed critical vulnerabilities in Microsoft Windows and Apple OS X that were unpatched by their parent companies.

The bugs were uncovered after the 90-day disclosure policy of the project, but neither Microsoft nor Apple managed to patch the flaw before details of the vulnerabilities went public as part of Google's program.

As a result, the Mountain View-based search giant has decided to update the disclosure policy of Project Zero in a way that would help software developers get “a second chance” to patch their software by providing them with more time to do it under certain circumstances.

In an announcement released by the Google Security team, the company reveals that out of the 154 security bugs found so far, a total of 85 percent were fixed during the 90-day timeframe, while the others were “typically fixed very quickly after that.”

Grace period

Google's Project Zero will now offer a grace period of 14 days if the vendor requires it. Basically, a company has to contact Google directly and ask for a 14-day grace period in order to be able to patch a certain security flaw before full details are made public.

“Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” Google says.

At the same time, Google explains that if the deadline is set to expire on a weekend or US holiday, the disclosure won't be made until the next business day, which is usually Monday. Again, vendors have more time to fix the flaw and patch the found vulnerability.

And last but not least, Google is also making sure that each vulnerability will come with a CVE that would help “uniquely identify vulnerabilities,” as the company says in the announcement.

As usual, Google points out that based on extreme circumstances, the deadline can be pushed back or forward, so basically, it all comes down to how well tech companies communicate to each other to handle the bug fixing and disclosure.

Needless to say, Google guarantees that its own products, including Chrome and Android, are subject to the same policy, so disclosures would be made under the same rules.