In a bid to give developers more time to address security vulnerabilities, Google has made changes to its Project Zero disclosure programme which could also mean that other companies roll out half-baked patches.
Announced in July, 2014, the Project Zero is a team of security analysts employed by Google who are tasked with finding zero-day vulnerabilities, the secret hackable bugs which are exploited by criminals, state-sponsored hackers, and intelligence agencies.
“We recently reviewed our policies and the goals we hope to accomplish with our disclosure policy. As a result of that review, we have decided to make some changes to our vulnerability disclosure policy in 2020. We will start by describing the changes to the policy, and then discuss the rationale behind these changes,” Tim Willis, Manager, Project Zero, wrote in a blog post on Tuesday.
“For vulnerabilities reported starting January 1, 2020, we are changing our Disclosure Policy: Full 90 days by default, regardless of when the bug is fixed.”
If there is mutual agreement between the vendor and Project Zero, bug reports can be opened to the public before 90 days elapse.
For example, a vendor wants to synchronise the opening of our tracker report with their release notes to minimise user confusion and questions.
“Fix a bug in 20 days? We will release all details on Day 90. Fix a bug in 90 days? We will release all details on Day 90,” noted Willis.
The tech giant said it will try this policy for 12 months, and then consider whether to change it long term.