Google Project Zero will now allow organizations a 30 day grace period for bug disclosure. The decision was taken by a zero-day flaw research group with the hope to speed up the process of release and adoption of fixes.
The new disclosure policy will help speed up the time it takes for patches to be adopted. Google Project Zero has the reputation of detecting a number of high-profile zero-days in its own products and others such as Apple. Earlier the engineers at Project Zero revealed the flaw detected 90 days after the initial vulnerability report.
According to the blogpost by Project Zero, things will be different from here on. Now there will be a delay in disclosure of technical details of the vulnerability until 30 days after a patch is issued if that patch is created within the 90-day period.
Tim Willis posted on Thursday –
Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption.
He further said the new model will allow researchers and the industry to separate the time to patch from the patch adoption time. Reducing the debate between attackers/defenders trade-off and sharing technical details. It will help reduce the amount of time end users are vulnerable to known attacks.
While the vulnerabilities that remain unpatched during the 90-day period after Project Zero discovers will be disclosed immediately after that grace period is up.
A similar policy will be in place for in the wild exploits by Project Zero. Presently they are disclosed seven days after they are identified along with technical details.
According to the new disclosure timeline, researchers will not release technical details until 30 days if the patch is released during the 7 day notification period. While vendors whose products are affected by the vulnerability can ask for a three-day grace period before Project Zero reveals technical details.