Google updates its Zeroday disclosure policy,

Google Relaxes Project Zero Bug Disclosure Policy, Google's Project Zero backs off a bit - will now give up to 14 days' grace, Google's Project Zero reveals three Apple OS X zero-day, Google updates its Zeroday disclosure policy,

Admin

February 17, 2015

Google security experts team called 'Project Zero' gave some relief to the software vendors by revising their Zeroday disclosure policy. On the blog post the Google Security team announced changes to policies on full disclosure of bugs found by Project Zero team.

As lastly, Google discloses three critical bug on Microsoft Windows OS and Apple's OS X before the vendor release the patch for the bugs, which makes a door open to the hackers and puts millions of users under threats. Google team is very strict to their zeroday disclosure policy of 90 days, all disclosures were made 90 days after Google alerted Microsoft and Apple.

Project Zero Team, Chris Evans and Ben Hawkes, Google Security's Heather Adkins, Matt Moore, and Michal Zalewski, and Google Security Vice President Gerhard Eschelbeck noted, "Disclosure deadlines have long been an industry standard practice," citing the disclosure policies of the Carnegie-Mellon CERT, Yahoo, and TippingPoint's Zero Day Initiative. Deadline policies for vendor disclosure "improve end-user security by getting security patches to users faster," the Google team stated.

Project Zero is a new initiative by Google team, where Google will form a new team with the Top Security Researcher that will research on the security threats, finding vulnerabilities and also other security threats. Since the project was launched Google's team claimed, "of the 154 Project Zero bugs fixed so far, 85% were fixed within 90 days. Restrict this to the 73 issues filed and fixed after Oct 1st, 2014, and 95% were fixed within 90 days."

Google also noted that Microsoft and Apple have missed the deadline of the bug disclosure, it took much time to release a patch for the bug.

In revised to this, Google have made some modification to its 90-day bug deadline. Vendors can ask for a 14-day grace period before disclosure if they are working on a fix, and deadlines that expire during weekends and holidays will be pushed to the next business day. The Project Zero team will now also ensure that bugs that go past the deadline get a Common Vulnerabilities and Exposures (CVE) identifier pre-assigned through MITRE before they are disclosed to prevent confusion.

Google mentioned that they treat all vendors strictly equal, whether it is for own company 'Google'. They added Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.