The Project Zero team today announced an updated vulnerability disclosure policy for 2021. It follows changes made last year to better address perennial concerns from the broader security community.
In short, the Google security team in 2021 will wait 30 days before sharing technical details of a vulnerability that has been patched within the 90- or seven-day (for a zero-day) deadlines. That extra time is intended to allow more users to install the resulting fix.
Project Zero previously published details 90 days after bringing an issue to light regardless of whether the bug was fixed. Meanwhile, problems that have gone unfixed after 90/7 days will be published as usual.
Last year, the team started iterating on disclosure policy with a focus on faster and more thorough patch deployment, as well as improved patch adoption. Their first attempt at accomplishing these goals had mixed results:
In practice however, we didn’t observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch. In other words, the implied timeline for patch adoption wasn’t clearly understood.
For 2021, Project Zero is making the “patch adoption timeline an explicit part of [its] vulnerability disclosure policy” by giving those 30 days. Google considers the new 90+30 policy a “slight regression from the perspective of rapidly releasing technical details, but is planning to “gradually lower both patch development and patch adoption timelines.”
For example, based on our current data tracking vulnerability patch times, it’s likely that we can move to a “84+28” model for 2022 (having deadlines evenly divisible by 7 significantly reduces the chance our deadlines fall on a weekend). Beyond that, we will keep a close eye on the data and continue to encourage innovation and investment in bug triage, patch development, testing, and update infrastructure.
Author: Abner Li
Source: 9TO5Google