Google Project Zero updates vulnerability disclosure policy moving to a “90+30” model

Pierluigi Paganini April 17, 2021

Google Project Zero security team has updated its vulnerability disclosure policy, it gives users 30 days to patch flaws before disclosing associated technical details.

The Google Project Zero security team announced an update to its vulnerability disclosure policy, it could include additional 30 days to the disclosure process for some bugs to give end-users enough time to patch the vulnerability before threat actors could actively exploit them.

Until now, Google Project Zero’s vulnerability disclosure policy would give IT and software vendors 90 days to address the bugs that were discovered by the team affecting their solutions. Even if the vendor has not fixed the bugs in a 90-days period, Project Zero would publicly disclose technical details about the bug.

“The goal of our 2021 policy update is to make the patch adoption timeline an explicit part of our vulnerability disclosure policy. Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption.” reads the post published by Google.

“This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive. Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines.”

Since now, Project Zero announced that it will wait additional 30 days before publishing technical details about the bug.

vulnerability disclosure policy

Starting 2021, Project Zero would give additional 30-days before the public disclosure of technical details about the bug. In addition, vendors will be able to request another 3 days for vulnerabilities actively exploited.

The security team also plans to adopt to a “84+28” model for 2022 (having deadlines evenly divisible by 7 significantly reduces the chance our deadlines fall on a weekend).

“Moving to a “90+30″ model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks.” concludes the post.

“Disclosure policy is a complex topic with many trade-offs to be made, and this wasn’t an easy decision to make. We are optimistic that our 2021 policy and disclosure trial lays a good foundation for the future, and has a balance of incentives that will lead to positive improvements to user security.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, vulnerability disclosure)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment