14 DAY TRIAL // Google has announced a series of changes to its Project Zero program, essentially giving more time for patching when developers release a fix before the 90-day deadline is reached.
According to the existing Google Project Zero policy, the full disclosure is published after 90 days or when the bug is fixed, whichever is the earliest, so the Mountain View-based search giant is changing this to improve patch deployment.
Beginning with February 1, Google will provide developers with full 90 days, no matter if the bug is fixed or not. An earlier disclosure is only possible with a mutual agreement between Google and the researcher.
“If there is mutual agreement between the vendor and Project Zero, bug reports can be opened to the public before 90 days elapse. For example, a vendor wants to synchronize the opening of our tracker report with their release notes to minimize user confusion and questions,” Google explains.
Faster patching
Google says the new policy allows for “faster patch development, thorough patch development, and improved patch adoption.”
Furthermore, Google is also changing how it handles incomplete fixes. If until now such issues were filed as separate vulnerabilities, Google will begin reporting the problems to the vendor and then add them to the existing report without a new deadline.
“The full 90 day window is available to perform root cause and variant analysis. We expect to see iterative and more thorough patching from vendors, removing opportunities that attackers currently have to make minor changes to their exploits and revive their zero-day exploits,” Tim Willis, Project Zero, explains.
Google says its Project Zero program is so far working as expected and pushing for faster patching, with 97.7% of the bugs discovered so far fixed before reaching the 90-day deadline.
The new changes will come into effect on February 1, and Google explains that it’ll run a 12-month trial to determine if they can be used in the long term or not.