Google Project Zero Disclosure Policy Change Could Drive Better Zero-Day Security Patches

Google Bug
Companies like Microsoft and others are potentially getting more time to fix zero-day vulnerabilities before Google's Project Zero team discloses them to the public, as part of a new policy change for 2021. At the same time, end users can potentially expect zero-day security patches to arrive quicker and be more thorough. How so?

On the surface, giving companies additional time to stomp out bugs seems counterintuitive to users receiving more timely patches for newly discovered vulnerabilities. And perhaps it will work out that way. But on the surface, the new "90+30" trial, as Project Zero calls the policy change, looks like a win-win for all involved.

Under last year's policy, Project Zero held firm to a full 90-day disclosure policy. The way it worked was, if the Project Zero team discovered a zero-day flaw, it would send a bug report to the affected company, then wait 90 days before disclosing the vulnerability to the public. The controversial program was designed to pressure companies to fix bugs in a timely manner, and in some cases, Project Zero would extend a 14-day grace period, if requested and approved.

Now let's say Company X patched the flaw 20 days after Project Zero sent in its initial bug report. Project Zero would still wait another 70 days before disclosing it (20 + 70 = 90 days), unless there was a mutual agreement with Company X to disclose it earlier (pretty rare).

How Project Zero's New 90+30 Trial Policy Works For Zero-Day Bug Disclosures

Google Sign

Under the new 90+30 policy, companies still have a 90-day deadline to fix zero-day vulnerabilities, but if the issue is fixed within that time period, Project Zero will publish technical details 30 days after the fix.

"Project Zero won't share technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. The 30-day period is intended for user patch adoption," Project Zero explains.

So to use the same example above of Company X fixing a flaw 20 days after it was made aware of it, Project Zero would wait an additional 30 days instead of 70 days to publish the bug's technical details. In doing so, users could potentially plug up their system's security hole(s) faster than they otherwise would have under the previous full 90-day disclosure policy.

What if it takes a company the full 90 days, or even longer, to patch a flaw? Project Zero will still adhere to its 90-day deadline and publish details even if a bug has not been fixed, unless a 14-day grace period has been granted. So that part of the policy is not changing. If a grace period is granted, however, it eats into the new 30-day adoption period. So for example if Company X patched a flaw on Day 100, it would be disclosed on Day 120 instead of Day 130.

"Moving to a '90+30' model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks," Project Zero says.

Project Zero's hope is that this zero-day disclosure policy change will lead to faster patch development, more thorough patch development, and improved patch adoption. And looking ahead to next year, Project Zero says its current data suggests it could move to an "84+28" model, as having deadlines divisible by 7 makes it less likely they will fall on a weekend.

Thoughts on the new model? Share them with us in the comments section below!