Google Modifies 90-Day Project Zero Disclosure Policy After Developer Backlash

Through its Project Zero division, Google has tasked itself with motivating technology companies to push out timely patches for zero day vulnerabilities. It does this by giving companies 90 days to patch a security flaw before going public with the details. There are differing opinions on whether this is the right approach, and as we embark on a brand new year, Project Zero is updating its policy and disclosure for zero day threats.

The big change for 2020 is that Project Zero will wait the full 90 days before disclosing details of a zero day threat, regardless of whether a company has already issued a patch or not. Up to this point, Project Zero's policy was to disclose the threat as soon as a patch was released. So, if a company like Microsoft plugged up a zero day security hole 18 days after being made aware of it by Project Zero, details would immediately be made public.

Under the revised policy, in this example Microsoft could push out an update on day 18 (or any day before 90 days), and Project Zero would wait until the full 90 days has elapsed before disclosing the threat. The only exception is if there is mutual agreement between Project Zero the company in question, to disclose a threat earlier. And if Microsoft or any other company misses the deadline, Project Zero would proceed as normal, disclosing the unpatched threat.

There are a couple of reasons behind the change in policy. For one, Project Zero hopes this change will thwart malicious actors from slightly altering a zero day threat after the initial patch has been released, to bypass the patch. And secondly, this gives companies more time to reach a broader audience with its patches, before the details are out in the wild.

"Too many times, we've seen vendors patch reported vulnerabilities by 'papering over the cracks' and not considering variants or addressing the root cause of a vulnerability. One concern here is that our policy goal of 'faster patch development' may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss," Project Zero explains.

Part of the hope is this policy shift will ultimately result in more thorough patches. In addition, companies can still ask for a 14-day grace period, which pushes the total time to fix a zero day threat to 104 days (if the request is granted). However, after 90 days, Project Zero will disclose a zero day threat as soon as the patch is released, rather than waiting out the full two extra weeks.

Project Zero will follow its revised policy for a full year, after which it will consider whether to implement the revisions long term.