Project Zero announced some changes to its vulnerability disclosure policies. It gave users an additional 30 days to install patches before revealing technical details of a defect.
Tasked with reducing the number of known vulnerabilities, known as zero days, Google Project Zero will give users an additional 30 days to install patches before revealing the technical details of a flaw . This extra time is intended to allow more users to install the resulting fix.
The periods will be shortened next year
Previously, technical documentation of a vulnerability was shared as soon as the 90-day period ended, regardless of whether a patch was released. With the new model, if a patch is released during this time, the team will wait 30 days after the patch is released to share the technical details of its review.
Project Zero manager Tim Willis wrote in a blog post: “Switching to a” 90 + 30 “model allows us to separate fix time from patch adoption time, reduce discussions on offensive / defensive exchanges and technical details, as well as reduce the time that end users are vulnerable to known attacks. provides. ” gave place to his statements.
The Project Zero team states that this relaxed policy will not last for long as they will try to shorten the disclosure deadline in the near future. The team hints in their blog post that they could possibly switch to the 84 + 28 model for 2022 .