Google Project Zero waits 30 days after fix with vulnerabilities published

Google Project Zero, the division of Google that investigates vulnerabilities in software, will wait an extra 30 days in 2021 before publishing technical information about discovered vulnerabilities. The team wants to give people more time to install patches and fixes.

Developers still have 90 days from Google Project Zero to fix a vulnerability. If the vulnerability is not fixed after this period, Project Zero will publish the technical details immediately. If the vulnerability was fixed during this time, the team will not publish the details until 30 days after the fix is ​​applied. Developers can request a delay of the notification of up to fourteen days.

If a vulnerability is actively exploited, the developer or company in question will only have seven days to patch it. If the patch is not there after seven days, Project Zero will immediately publish all technical details. You can request a three-day extension. If a discovered vulnerability was fixed within seven days, the details will not be published until 30 days after the fix.

The deferral periods that companies and developers can request are deducted from the subsequent 30-day period Project Zero has to wait with publication.

With these measures, Project Zero still wants developers to release bug fixes and patches faster. However, the team found that the development of bug fixes or patches did not accelerate. In addition, it was told that the technical details were published too quickly, putting users who had not yet installed the fixes or patches at serious risk.

According to Project Zero, this new arrangement is clearer and more secure. Developers are given, in most cases, 90 days to work on a fix, and because an additional 30 days are allotted to increase fixes’ adoption, the team argues that this is a more secure protocol. Each year, Project Zero reconsiders whether it needs to adjust its protocols.