- Google’s Project Zero gives vendors 90 days to fix a bug, and 30 days for patch adoption
- ‘Upstream patch gap’ means it takes too long for a patch to become available
- Reporting more details will encourage more transparency
Google has pledged to make updates to its Project Zero disclosure policy to report more security details quicker in an effort to improve security by enabling developers quicker access to the finer details of vulnerabilities.
Launched in 2021, Project Zero launched with a 90+30 policy – 90 days for vendors to fix a reported bug, and an additional 30 days for users to adopt the patch if it’s fixed within the 90-day window.
However, since then, a so-called ‘upstream patch gap’ has emerged whereby the time between when a fix is available upstream and when it becomes available by downstream vendors is longer than ideal, extending the lifecycle of vulnerabilities.
Google’s Project Zero will disclose even more infromation
A new trial policy will improve reporting transparency by disclosing the vendor or open-source project, the affected product, the date of the filed report and the 90-day disclosure deadline.
The changes were announced by the Project’s Tim Willis, who explained: “For the end user, a vulnerability isn’t fixed when a patch is released from Vendor A to Vendor B; it’s only fixed when they download the update and install it on their device.”
“By providing an early signal that a vulnerability has been reported upstream, we can better inform downstream dependents,” Willis wrote.
Google hopes that the Project Zero update to include more details sooner will help the public track how long it takes between a vendor first making a patch available and that patch becoming available on the end device. Willis explained that an environment where transparency is normal and expected is the goal
Willis stressed, “no technical details, proof-of-concept code, or information that we believe would materially assist discovery will be released,” therefore earlier reporting won’t give attackers the upper hand.
