Google Project Zero no longer makes publishing bugs dependent on fix

Spread the love

Project Zero, the department of Google that investigates vulnerabilities in software, will now always publish the details 90 days after a report of a leak at a company. The details will only come out sooner if the affected company wants it.

Google will try the new policy for a year, the company reports. Project Zero will only reveal its findings about leaks earlier if the affected company wants it, for example so as not to confuse users if it releases a fix sooner. In that case, users might hear again months later about a bug that has long since been fixed.

In addition, the tech company is more consistent with affected companies that release an incomplete fix. If so, the deadline for publication will always remain the same. That was not always the case in the past. The move should encourage affected companies to repair vulnerabilities faster and better.

With the change, Google hopes that exploiting zero days will become more difficult, as companies will hopefully fix the vulnerabilities faster and better. The test starts immediately. In a year’s time, Project Zero will determine whether this will be the long-term policy. If criminals actively exploit a leak, Google will continue to apply a one-week deadline; that policy has not changed.

Project Zero is not without controversy. It has happened several times in recent years that the details about a leak have come out without a fix, allowing attackers to actively exploit the vulnerabilities.

Project Zero Policy 2019 Policy 2020
Goals Enforce faster patches Enforce faster patches
Enforce fuller patches
Enforce better update policies
Publication findings If the researcher decides, in principle after 90 days After 90 days, unless affected company wants earlier publication
Incomplete fix Researcher decides whether that will be a new vulnerability with a new deadline No new deadline
You might also like
Exit mobile version