The team at Google Project Zero have announced a significant change to its disclosure policy for 2021 that may help developers patch and deploy those patches for bugs and vulnerabilities more effectively.
As you might be aware Project Zero gave developers a 90 day window to patch a vulnerability before that vulnerability was disclosed. For vulnerabilities that are actively exploited that period is seven days.
However, this meant that after 90 days a bug or vulnerability would be disclosed regardless of whether the patch was released and regardless of whether the patch had been applied by users.
“Vendors were given 90 days to work on the full cycle of patch development and patch adoption. The idea was if a vendor wanted more time for users to install a patch, they would prioritize shipping the fix earlier in the 90 day cycle rather than later,” writes senior security engineer at Project Zero, Tim Willis.
In reality, many developers weren’t able to patch, publish and distribute a fix within that 90 day period and expressed concern to Project Zero that technical details about vulnerabilities were being published before the patch was widely distributed.
So, starting this week, Google will give developers 90 days for patch development plus an additional 30 days for distribution before publishing technical details.
“This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive. Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines,” writes Willis.
While Google is going to slowly lower that threshold over time, this should help developers address vulnerabilities more methodically.
This update does bring the debate of disclosure to the fore once again. On one hand you have users who should really know what vulnerabilities are out there but on the other you have cybercriminals looking to leverage an opportunity they have.
Disclosure is important but it’s a tricky tightrope to walk. It’s admirably that Google is taking feedback into account and shaping its policy around that, even if it’s adamant that 90 days should be the limit on when disclosure takes place.