Google's Project Zero disclosure program shifts to full 90-day

Google’s Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities, the secret hackable bugs that are exploited by criminals, state-sponsored hackers, and intelligence agencies.

After experiencing some major improvements to how quickly vendors patch serious vulnerabilities, now 97.7% of their vulnerability reports can be fixed within the new 90-day disclosure policy. This revision of their policies is expected to encourage both more “thorough” security patches and wider adoption of those patches.

So, for vulnerabilities reported starting January 1, 2020, we are changing our Disclosure Policy: Full 90 days by default, regardless of when the bug is fixed.  

There are more reforms. If there’s an incomplete fix, it’ll be reported to the developer and added to an existing report. Before, it would sometimes be treated as a separate problem with its own deadline. Google will also open tracker reports the moment a flaw is patched during the “grace period” (a 14-day window available if a developer will just miss the 90-day target) and on the 90th day.

Project Zero changelogs for 2020

Based on the information from the Project Zero blog by Tim Willis here are the changes made to the Project Zero;

• Fix a bug in 20 days? We will release all details on Day 90.
• Fix a bug in 90 days? We will release all details on Day 90.

And as regards the changes made to their policies, below is the policy goals for 2020:

1. Faster patch development (existing): We want vendors to develop patches quickly and have processes in place to get them into the hands of end-users. We will continue to pursue this with urgency.

2. Thorough patch development (new): Too many times, we’ve seen vendors patch reported vulnerabilities by “papering over the cracks” and not considering variants or addressing the root cause of vulnerability. One concern here is that our policy goal of “faster patch development” may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss. 

3. Improved patch adoption (new): End-user security doesn’t improve when a bug is found, and it doesn’t improve when a bug is fixed. It improves once the end-user is aware of the bug and typically patches their device. To this end, improving timely patch adoption is important to ensure that users are actually acquiring the benefit from the bug being fixed.

With this in place, Google is aiming at increasing the chances that you’ll be well-protected against exploits before they’re made public. Also, this new policy will be trialled for 12 months before Google decides whether to “change it long-term.”