Google Project Zero no longer makes publishing bugs dependent on fix
Project Zero, the department of Google that investigates vulnerabilities in software, will now always publish the details 90 days after a report of a leak at a company. The details will only come out sooner if the affected company wants it.
Google will try the new policy for a year, the company reports. Project Zero will only reveal its findings about leaks earlier if the affected company wants it, for example so as not to confuse users if it releases a fix sooner. In that case, users might hear again months later about a bug that has long since been fixed.
In addition, the tech company is more consistent with affected companies that release an incomplete fix. If so, the deadline for publication will always remain the same. That was not always the case in the past. The move should encourage affected companies to repair vulnerabilities faster and better.
With the change, Google hopes that exploiting zero days will become more difficult, as companies will hopefully fix the vulnerabilities faster and better. The test starts immediately. In a year’s time, Project Zero will determine whether this will be the long-term policy. If criminals actively exploit a leak, Google will continue to apply a one-week deadline; that policy has not changed.
Project Zero is not without controversy. It has happened several times in recent years that the details about a leak have come out without a fix, allowing attackers to actively exploit the vulnerabilities.
Project Zero | Policy 2019 | Policy 2020 |
Goals | Enforce faster patches | Enforce faster patches Enforce fuller patches Enforce better update policies |
Publication findings | If the researcher decides, in principle after 90 days | After 90 days, unless affected company wants earlier publication |
Incomplete fix | Researcher decides whether that will be a new vulnerability with a new deadline | No new deadline |