Google Blinks First with Project Zero Changes

Written by

Google has finally agreed to modify its Project Zero vulnerability disclosure policy to give vendors more time to patch flaws.

In a blog post on Friday, the web giant claimed it had “taken on board some great debate and external feedback” to come up with several improvements.

The first major change is that software vendors will now have an extra 14-day grace period after the initial 90-day time frame if a patch is slated for release during that two-week window.

“Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” said Google.

Disclosure deadlines will also be moved to the next working day if they happen to fall on a weekend or a US public holiday.

Finally, Google said it will always include the CVE when mentioning a vulnerability publicly for the first time.

The firm added:

“As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.”

The news will be celebrated as something of a victory for Microsoft, which criticized Google’s intractable 90-day disclosure policy after Mountain View posted information on a new Windows 8.1 flaw just two days before it was due to be fixed in the January Patch Tuesday.

Microsoft Security Response Center’s senior director, Chris Betz, argued in a blog post that Google had needlessly put computer users at risk with the disclosure.

“What’s right for Google is not always right for customers,” he said at the time.

Google had been criticized by various security commentators for its former stance, but claims that the new improvements will “result in softer landings for bugs marginally over deadline.”

Kasper Lindgaard, director of research and security at patch management firm Secunia, welcomed the changes.

“Observing the reactions from the security community, it is a sensible and decent thing to do,” he told Infosecurity.

“This is good news for the overall security of both companies and even for private users – in reality it was only the hackers who profited from Google’s choice of indiscriminately disclosing vulnerabilities, just a few days before the vendor could release an available patch.”

What’s hot on Infosecurity Magazine?