Google Project Zero Announces 2021 Updates to Vulnerability Disclosure Policy

Google’s Project Zero cybersecurity research unit on Thursday announced that it’s making some changes to its vulnerability disclosure policies, giving users 30 days to install patches before disclosing the technical details of a flaw.


Project Zero has announced three major changes to its vulnerability disclosure policy in 2021, compared to 2020. Until now, if Project Zero researchers found a security hole in a product, it was disclosed after exactly 90 days, regardless of when a patch was released or whether a patch was available at all. The impacted vendor could request a 14-day grace period and disclosure could happen earlier based on a mutual agreement.


For 2021, the disclosure deadline of 90 days remains unchanged, but if the vulnerability is patched within that 90-day timeframe, technical details will only be made public 30 days after the release of a fix, to give users time to install the patch. The 14-day grace period can still be requested by the vendor.


In the case of actively exploited vulnerabilities, technical details have been disclosed 7 days after the initial report, even if the bug hasn’t been fixed, and vendors could not request a grace period before disclosure.


Starting now, if the vendor manages to patch the vulnerability within 7 days, technical details will only be disclosed 30 days after the fix is released. The goal is to give users more time to install the patch and avoid scenarios where other threat actors could use the disclosed information for their attacks. In addition, vendors will be able to request a 3-day grace period for vulnerabilities exploited in the wild.


Another change is related to disclosure during the 14-day grace ..