Google Project Zero Extend its Bug Disclosure Period

Google Project Zero will wait 30 days before disclosing technical details about the vulnerabilities fixed within 90 days.


The Google Project Zero team has updated their vulnerability disclosure policies, continuing to make improvements to better address new issues as the security community grows.

According to the updated policies, Google Project Zero will wait 30 days before disclosing technical details about a vulnerability that was patched within a 90-day or seven-day (for zero-day vulnerabilities) time frame. This additional time will allow more users to install the hotfix.

Previously, researchers from Google Project Zero published details about the vulnerabilities they discovered 90 days after notifying the manufacturer of the vulnerable software, regardless of whether he had time to release a fix. However, vulnerabilities not fixed within 90 (7) days will continue to be disclosed as before.

Last year, the Google Project Zero team began updating their vulnerability disclosure policy with a focus on faster, more thorough patch deployment and more efficient implementation. However, her first attempt to achieve these goals yielded mixed results.

“In practice, however, we have not seen a significant shift in the patch development timeline and continued to receive feedback from vendors that they are concerned about publicly disclosing technical details about vulnerabilities and exploits before most users install the patch. In other words, the estimated timeline for implementing the fix was not clearly understood, ”the team explained.

In 2021, Google Project Zero decided to make the "patch distribution schedule an explicit part of the vulnerability disclosure policy" by granting an additional 30 days. Google considers the new 90 + 30 policy a "small retreat" in terms of quick technical disclosure, but plans to continue to "gradually reduce development and patching times."