Google’s Project Zero security team has announced some changes to its bug disclosure policy, extending a 14-day grace period, and excluding weekends and public holidays from the count, to provide more time for tech companies to address security vulnerabilities found by the Google team.
Google, via MacRumors:
We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.
The Project Zero team has been the subject of controversy in the past, following exposure of Apple and Microsoft security flaws after the companies failed to meet the 90-day deadline.
We’ve studied the above data and taken on board some great debate and external feedback around some of the corner cases for disclosure deadlines. We have improved the policy in the following ways:
- Weekends and holidays. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
- Grace period. We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
- Assignment of CVEs. CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we’ll ensure that a CVE has been pre-assigned.
The Project Zero team is a group of experienced programmers who examine the code of Google and its competitors in order to discover security flaws. The group uncovered such flaws in Apple’s OS X Yosemite operating system back in January. The team discloses the vulnerabilities to the companies immediately following their discovery, starting the 90-day clock ticking down to a deadline when the flaws will be announced to the public.
Google’s Project Zero team has been the focus of much debate, as some believe the company has a hidden agenda designed to publicize the presence of flaws in competitors to the company’s Android operating system, while others claim the team is taking appropriate action. Google says it holds itself and its operating systems to the same 90-day deadline policy that it enforces on other tech firms.