Google Project Zero has added a new grace period to its zero-day vulnerability disclosure policy and will now provide an additional 30 days after a patch is released before publishing technical details of the vulnerability.
Google introduced its 90-day vulnerability disclosure policy in 2020. The aim of the 90-day delay was to encourage faster patch development and patch adoption, while giving sufficient time to ensure that vendors could develop a comprehensive patch to correct the vulnerability. While it was the intention to speed up patch adoption by providing 90 days, it did not go exactly as planned and Google received complaints from vendors that insufficient time was provided to allow most users to adopt the patches.
The old policy of 90 days included time to develop a patch and time for patch adoption, but the combination of both led to confusion. The new approach will decouple the patch development and patch adoption.
Under the new disclosure policy, when a zero-day vulnerability is discovered, the Google Project Zero team will notify the vendor and will provide 90 days to release a patch, plus an additional 30-day grace period for patch adoption, after which full technical details of the vulnerability will be publicly disclosed. If a patch has not been released to correct the flaw within the 90 days, the Google Project Zero team will go ahead and release technical details of the vulnerability immediately, with no 30-day grace period applied.
In cases where a zero-day vulnerability is being actively exploited in the wild, vendors will be notified and will only have 7 days to issue a patch before technical details of the vulnerability are released. Vendors can request a 3-day delay if it is not possible to release the patch within 7 days, providing a maximum of 10 days from the date of notification before full disclosure.
If a patch is released within the 7-day window, Google Project Zero will wait 30 days before disclosing technical details to allow time for the patch to be adopted by the majority of users.
While the previous policy benefited the defensive community, it did introduce a risk of opportunistic attacks. The new policy should help to reduce that risk.
“Moving to a ‘90+30’ model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” said Google Project Zero Senior Security Engineering Manager Tim Willis.