Google Project Zero Cuts Bug Disclosure Timeline to a 30-Day Grace Period

bug bounty

The zero-day flaw research group has revised its disclosure of the technical details of vulnerabilities in the hopes of speeding up the release and adoption of fixes.

Google Project Zero will now give organizations a 30-day grace period to patch zero-day flaws it discovers in a new disclosure policy revealed this week aimed at speeding up the time it takes for patches to be adopted.

Known for discovering a number of high-profile zero days—in Google’s own products as well as those found in rival Apple’s software—Project Zero last year began revealing the technical details of flaws its researchers discovered 90 days after the initial vulnerability report.

However, now research group is changing this tactic slightly, saying it will delay disclosure of the technical details of the vulnerability until 30 days after a patch is issued if that patch is created within the 90-day period, according to a blog post by Project Zero’s Tim Willis posted Thursday.

“Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption,” he wrote.

Join experts from Digital Shadows (Austin Merritt), Malwarebytes (Adam Kujawa) and Sift (Kevin Lee) to find out how cybercrime forums really work. FREE! Register by clicking above.

Moving to this so-called “90+30 model” will allow researchers and the industry as a whole to “decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” Willis explained.

However, technical details of vulnerabilities that remained unpatched during the 90-day period after Project Zero discovers them still will be disclosed immediately after that grace period is up, according to the post.

Project Zero also is applying a similar policy to in-the-wild exploits, which currently are disclosed–along with technical details–seven days after they are identified.

Under the new disclosure timeline, if a patch is released during the seven-day notification period, researchers won’t release technical details until 30 days later, according to the post. Moreover, vendors whose products are affected by the vulnerability can ask for a three-day grace period before Project Zero reveals technical details.

Tweaking the Policy

Vulnerability management and patching has long been a difficult endeavor, especially for larger organizations that have trouble keeping up with every bug that comes along and affects various aspects of their IT networks.

Even for consumer-facing companies like Microsoft, Google and Apple that push out patches to customers automatically via update programs, patching does not always go as smoothly as vendors hope. Sometimes it’s because customers don’t enable automatic updates to devices, leaving them unpatched for longer than they should be; other times it’s the companies themselves who are responsible for a lag time between the discovery of a vulnerability and an available patch.

When Project Zero introduced the 90-day disclosure policy last year, it aimed to balance three goals— faster patch development that shortened the time between a bug report and a fix being available for users; thorough patch development that ensured each fix is correct and comprehensive; and improved patch adoption that shortened the time between a patch being released and users installing it, Willis said.

However, the project didn’t see ” a significant shift in patch development timelines” that it had hoped for with its 2020 disclosure policies, he explained.

Moreover, vendors repeatedly raised concerns about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch, Willis said. “In other words, the implied timeline for patch adoption wasn’t clearly understood,” he said.

Google hopes that the new policy will set clearer guidelines for vendors so they will patch systems faster and thus improve faster adoption time across their user base.

In fact, to nudge this effort along even further, Project Zero said it will shorten the 90-day disclosure deadline “in the near future”  to reduce that time it takes to patch a flaw as well as speed up patch adoption “over the coming years until a steady state is reached,” Willis wrote.

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts from Digital Shadows (Austin Merritt) and Sift (Kevin Lee) will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event. 

Suggested articles