Google’s Zero Project, a dedicated team of security engineers tasked with reducing the number of “zero-day” vulnerabilities across the Internet, says it will give developers another 30 days to reveal vulnerabilities to them. end users correction time. their software.
The developers will still have 90 days to fix the bugs, but Project Zero will wait another 30 days before publicly disclosing the details of the bug. If a defect is actively exploited in the wild, a company will have seven days to issue a patch and a three-day grace period, if requested. But Google Project Zero will wait 30 days before revealing technical details.
In 2020, Google announced a process that would allow developers 90 days to work on developing and adopting patches, with the idea that if a developer wanted more time to allow users to install a patch, they would ship the solutions. at the beginning of the 90-day period. “It simply came to our notice then not we notice a significant change in patch development times and we continued to receive feedback from vendors that they were concerned with publishing technical details about vulnerabilities and exploits before most users installed the patch, ”wrote Tim Willis in Project Zero in the blog post. “In other words, the default timeline for adopting patches was not clearly understood.”
The purpose of the 2021 update, Willis wrote, is to make patch adoption timeline an explicit part of its vulnerability disclosure policy. “This 90 + 30 policy gives sellers more time than our current policy, as the direct jump to a 60 + 30 policy (or similar) would probably be too sudden and disruptive,” he wrote. “Our preference is to choose a starting point that can be constantly met by most suppliers and then gradually reduce both the deadlines for patch development and the adoption of patches.