Skip to main content

Google Project Zero will give a 30-day grace period before disclosing security issues

posted onApril 18, 2021
by l33tdawg
Wikipedia
Credit: Wikipedia

Google’s Project Zero, a team of dedicated security engineers tasked with reducing the number of “zero day” vulnerabilities around the entire internet, says it will give developers an extra 30 days before disclosing vulnerability issues, in order to give end-users time to patch their software.

Developers will still have 90 days to fix bugs, but Project Zero will wait another 30 days before it discloses the details of the bug publicly. If a flaw is being actively exploited in the wild, a company will have seven days to issue a patch, and a three-day grace period if requested. But Google Project Zero will wait 30 days before it discloses technical details.

In 2020, Google announced a trial to allow developers 90 days to work on patch development and adoption, with the idea that if a dev wanted more time to allow users to install a patch, they’d ship the fixes early in the 90-day period. “In practice however, we didn’t observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch,” Project Zero’s Tim Willis wrote in the blog post. “In other words, the implied timeline for patch adoption wasn’t clearly understood.”

Source

Tags

Industry News

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th