Announced in 2014, Google’s Project Zero is a team of security analysts hired by Google to find zero-day vulnerabilities in various software. The search engine giant has now updated its vulnerability disclosure guidelines, meaning that Project Zero will now take longer before disclosing security flaws.
The updated policy will add an extra 30 days before security bugs are disclosed. Previously, the Project Zero team would only publish details of vulnerabilities on their online bug tracker after a 90 day period, or once it was patched.
Thanks to the longer time period, vendors will have a bit more time to develop, share, and install the necessary patches to their software before details are shared online. This is also a positive development when it comes to security as vulnerability details shared online could potentially be weaponized by attackers.
Although security patches are released by the point the vulnerability details are shared online, there is no guarantee that users would update their software immediately. Therefore, Google’s extra 30 day period comes as good news.
The new policy rules will apply throughout 2021, but things could change again in the future. Google’s blog post notes:
Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines.