Google Project Zero changes rules on revealing cyberattacks

Companies will now get a full 90 days before vulnerabilities are disclosed

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Google’sProject Zerohas revealed that it will be trialing a new policy where the security team will give companies a full 90 days before disclosing issues in their systems or software.

The search giant’s team of security analysts is well regarded for discovering major vulnerabilities but it has received criticism from others in the industry for its relatively fast disclosure times. The new disclosure policy aims to fix this while also holding companies more accountable for how they patch security issues.

The manager of Project Zero at Google, Tim Willis explained in ablog postthat while the team may be making changes to its disclosure policy, it has yielded impressive results over the last five years, saying:

“We’re very happy with how well our disclosure policy has worked over the past five years. We’ve seen some big improvements to how quickly vendors patch serious vulnerabilities, and now 97.7% of our vulnerability reports are fixed within our 90 day disclosure policy.”

Disclosure policy changes

After reviewing its topic disclosure policy, Project Zero has announced that it will be making some changes in 2020 including that fact that all companies will be given a “full 90 days by default, regardless of when the bug is fixed”. However, if there is an agreement between a vendor and Project Zero, bug reports can be published before the 90 day deadline is up.

Google’s security team will also now work to encourage companies to create patches that are more thorough and to improve adoption within the 90 day period. In the past, Project Zero’s goal of “faster patch development” may have led vendors to patch vulnerabilities by “papering over the cracks” without addressing the root cause of a vulnerability and the changes to its disclosure policy aim to rectify this.

Project Zero also intends to work to improve timely patch adoption so that end users can actually benefit from bugs being fixed.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Google plans to trial the new policy for 12 months before it decides whether to “change it long term”.

Via9to5Google

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Is it still worth using Proton VPN Free?

Mozambique VPN usage soars as internet restrictions continue

MacBook Air OLED reportedly delayed until at least 2028 – here’s why