We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

Google Will Wait a Bit Longer Before Publishing Zero Day Vulnerability Details

A warning sign, all broken and jagged

Project Zero is a team from Google tasked with finding vulnerabilities and reporting them to manufacturers. It’s not without controversy due to occasionally publishing the details of vulnerabilities before a patch. To that end, Project Zero will add some time to its disclosure period.

Under the old rules, software vendors had 90 days to release a patch from when Google disclosed a vulnerability to the vendor. Whether or not it did, it would reveal the zero-day vulnerability to the public, often with enough detail that a bad actor could use the information to create exploits. Eventually, Google added an optional grace period software vendors could request if a patch was near completion.

Detractors claim that the hard deadline puts the public at risk if the company is actively working on a solution, but the problem is complicated enough it can’t be solved in 90 days. Others point out that some companies may be disinclined to create a patch at all without the hard window. The public pressure helps convince the software vendor to act where it may not otherwise.

Finding that middle ground is the difficult part, and Google says it will make adjustments to address concerns from the broader security community. In 2021 it will wait an additional 30 days to disclose details of a vulnerability if a vendor releases a patch before the 90 window ends. The idea is to give users time to install updates and protect them. However, if a vendor requests a grace window, that will eat into the 30-day update window.

That’s for a case where Google hasn’t discovered a vulnerability already being actively abused. Before when that happened, Google disclosed full details within seven days of notification. Going forward, it will disclose the vulnerability after seven days but wait to publish technical details for an additional 30 days.

All that applies only to 2021 because next year, Google plans to shorten all of its windows slightly. Starting in 2022, Project Zero will move to an “84 + 28” model—84 days to disclosure, plus another 28 days to full details. Project Zero hopes that shortening the windows will encourage faster patch development. It also suggests that moving to days divisible by seven reduces the chance of a deadline falling on a weekend—when software vendors typically have days off.

Source: Project Zero

Josh Hendrickson Josh Hendrickson
Josh Hendrickson is the Editor in Chief of Review Geek and is responsible for the site's content direction. He has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smart home enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read Full Bio »