Google Project Zero is moving to complete 90-day patch adoption
Vendors are allowed to have 90 days to fix bugs, under adjustments to the transparency policies of Google Project Zero.
Project Zero, the team of elite security researchers from Google, has changed its disclosure policy to focus on allowing vendors to get patches right for security issues and distribute them to users.
Under the amendments introduced on Tuesday, any flaws will be disclosed to the public after 90 days, unless a prior agreement remains.
Previously, once a security fix was created, the issue would be made public by a Project Zero researcher on his bug tracker.
“Too many times, we’ve seen vendors patch reported vulnerabilities by ‘papering over the cracks’ and not considering variants or addressing the root cause of a vulnerability,” Project Zero manager Tim Willis wrote.
“One concern here is that our policy goal of ‘faster patch development’ may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss.”
Willis added that vendors would be able to ensure that users install updates to patched versions before disclosure.
“End user security doesn’t improve when a bug is found, and it doesn’t improve when a bug is fixed. It improves once the end user is aware of the bug and typically patches their device,” he said.
The improvements would improve and make it more compatible with Project Zero, the blog post said.
“Some vendors considered our determination of when a vulnerability was fixed as unpredictable, especially when working with more than one researcher on the team at a given time,” Willis said.
“They saw it as a barrier to working with us on larger problems, so we’re going to remove the barrier and see if things improve.”
Project Zero said that nearly 96 percent of vulnerabilities are fixed in August before the lifting of the 90-day disclosure period. This number has been updated to 97.7 percent on Tuesday.
Project Zero only extended its 90-day deadline twice— for the 2016 iOS issue of task t and the 2018 flaws in Meltdown and Spectre.