Google’s Project Zero will wait longer before it detects security flaws

Google’s security team Project Zero will wait an additional 30 days before revealing details about the vulnerability so that end users have enough time for software patches, Google announced. This means that developers will still have 90 days to correct regular bugs (with a 14-day wait if requested), but Google will wait an additional 30 days before making details public. For deficiencies that are actively exploited in the wild (zero day), companies still have seven days to repair, with a three-day grace period on request. However, Google will now wait 30 days before revealing technical details.

Last year, Google allowed developers more time to fix bugs, hoping to fix them fast enough to give end users more time to fix. “However, in practice we did not notice a significant shift in the timeframe for patch development and we continued to receive feedback from suppliers that they were concerned about the public release of technical details on vulnerabilities and exploits before most users installed the patch,” Project Zero’s Team Willis wrote.

Developers now have a full 90 or seven days to develop the patch, and end users will have 30 days to apply the patch before detection. However, if grace periods are requested, they will be reduced to 30 days of publication, so that errors will always be detected after 120 or 37 days, for regular and zero daily defects – provided they are corrected in time. If they are not repaired on time, they will be published in 90 or 7 days, respectively.

That will apply to 2021, but that could change next year. “Our advantage is to choose a starting point that can be consistently met by most vendors, and then gradually reduce the timeframes for patch development and patch adoption,” the company said. Find more information on the Google Project Zero day blog.