Tech NewsWhat's New

Google's Project Zero disclosure program shifts to full 90-day

This new Google policy will give developers more time to fix security flaws

Google’s Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities, the secret hackable bugs that are exploited by criminals, state-sponsored hackers, and intelligence agencies.

After experiencing some major improvements to how quickly vendors patch serious vulnerabilities, now 97.7% of their vulnerability reports can be fixed within the new 90-day disclosure policy. This revision of their policies is expected to encourage both more “thorough” security patches and wider adoption of those patches.

So, for vulnerabilities reported starting January 1, 2020, we are changing our Disclosure Policy: Full 90 days by default, regardless of when the bug is fixed.  

There are more reforms. If there’s an incomplete fix, it’ll be reported to the developer and added to an existing report. Before, it would sometimes be treated as a separate problem with its own deadline. Google will also open tracker reports the moment a flaw is patched during the “grace period” (a 14-day window available if a developer will just miss the 90-day target) and on the 90th day.

Project Zero changelogs for 2020

Based on the information from the Project Zero blog by Tim Willis here are the changes made to the Project Zero;

  • Fix a bug in 20 days? We will release all details on Day 90.
  • Fix a bug in 90 days? We will release all details on Day 90.
ogle's Project Zero

And as regards the changes made to their policies, below is the policy goals for 2020:

  1. Faster patch development (existing): We want vendors to develop patches quickly and have processes in place to get them into the hands of end-users. We will continue to pursue this with urgency.
  1. Thorough patch development (new): Too many times, we’ve seen vendors patch reported vulnerabilities by “papering over the cracks” and not considering variants or addressing the root cause of vulnerability. One concern here is that our policy goal of “faster patch development” may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss. 
  1. Improved patch adoption (new): End-user security doesn’t improve when a bug is found, and it doesn’t improve when a bug is fixed. It improves once the end-user is aware of the bug and typically patches their device. To this end, improving timely patch adoption is important to ensure that users are actually acquiring the benefit from the bug being fixed.

With this in place, Google is aiming at increasing the chances that you’ll be well-protected against exploits before they’re made public. Also, this new policy will be trialled for 12 months before Google decides whether to “change it long-term.”

This article was written based on information collected from the following websites:
  1. Project Zero blog
  2. Engadget
  3. 9To5Google

Recommended for you:

Good news! Google AI Bot, Google Bard is Now available in India
The era of AI seems to be now and our Tech giant Google isn't ready to give in to its competitor OpenAI's ChatGPT. ...
Google Play Store to Introduce Quick Fix for App Crashes
App crashes are one of the most common bugs with Android applications. Although this issue has significantly reduced as newer Android versions have been ...
Google’s new policy now entails the permanent deletion of inactive accounts
Gmail users haven't could always care less about the issue of inactive accounts getting deleted as it has always been with Yahoo Mail. But ...
How Google Knows Your Location Even When You’re Using a VPN
Google is known for its ability to determine your location, even when using a Virtual Private Network (VPN). You might think that your online ...
Google’s Bard AI Chatbot: The Game-Changer in Code Generation and Debugging?
As technology continues to advance, it's not surprising that artificial intelligence is making significant strides in various fields. Google's Bard AI chatbot is one ...
Back to top button

Adblock Detected!

Hello, we detected you are using an Adblocker to access this website. We do display some Ads to make the revenue required to keep this site running. please disable your Adblock to continue.