Google's Project Zero will now wait 90 days before disclosing some critical vulnerabilities
What you need to know
- Google is changing its Project Zero disclosure policy for 2020.
- Google will no longer disclose vulnerabilities and bugs before the end of the 90-day period, allowing firms time for more thorough patching.
- This is a 12-month policy trial with a re-evaluation period at the end of the year.
Google's Project Zero is undergoing a minor overhaul in 2020 — Google will trial a new change around its controversial vulnerability disclosure policy. The change already went into effect on New Year's Day.
In brief: going forward, Google will now offer a 90-day grace period for disclosures, regardless of when the bug was fixed. Previously, Google's policy was "90 days or when the bug is fixed," drawing ire from some companies at the seeming randomness of its disclosures. Now, Google aims to be a bit more consistent and to avoid even the appearance of impropriety.
Google's Tim Willis explained the team's thinking, saying:
The new change in priorities here was to ensure that patches are developed and disseminated as widely as possible before being reported to the public. Google says that it's seen companies simply "paper over the cracks" in an attempt to develop patches as quickly as possible. That still leaves the vulnerabilities exploitable in theory, and Google wants to avoid that possibility. Google expects "iterative and more thorough patching from vendors" with "root cause and variant analysis" now that firms have the full 90-day period available.
Google is trialing this change over the next 12 months, and it'll be interesting to see how other tech companies react to it. Google doesn't expect it to please everyone, but it certainly looks better than last year's policy at first glance.
Here's why Project Zero should be split from Google
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android