Google’s Project Zero has updated its vulnerability disclosure policy to keep bug reports closed for 90 days, regardless of whether a patch is out before the deadline or not.
The new policy has entered into effect on January 1, 202, and will be used for 12 months, after which Project Zero will assess its impact and decide whether to keep it unchanged or update it.
Before, vendors had the same 90 days at their disposal to address reported vulnerabilities in their software, but the bug reports would either become public when patches were released, or after 90 days, whichever was earliest.
Based on the new policy, bug reports won’t be opened to the public for 90 days after submission, even if a patch is released before the deadline. However, if there is a mutual agreement with the developer, Project Zero may open the report before the three-month period.
Related: How Commercial Bug Hunting Changed the Boutique Security Consultancy Landscape
The goal of this new policy, Google Project Zero’s Tim Willis notes, goes beyond just attempting to speed up patching: thorough patch development and improved patch adoption are also a focus.
Project Zero’s security researchers will also provide vendors with details on incomplete fixes and will add the information to the existing report, regardless of whether the report is public or not. The vendor won’t receive a new deadline.
As before, vendors may also request an additional 14 days to patch the reported vulnerabilities. If a fix is released during the grace period, the tracker reports are immediately opened to the public. No additional grace periods will be granted after 104 days ..
Support the originator by clicking the read the rest link below.
