Google has revised its approach to disclosing software vulnerabilities, aiming to expedite the process of patch adoption. Project Zero, Google’s team dedicated to identifying zero-day vulnerabilities, will now reveal the existence of a vulnerability within a week of notifying the vendor. The announcement will include details such as the affected product, the responsible vendor or open-source project, the report’s filing date, and the deadline for disclosure, which remains at 90 days. This policy seeks to address the “upstream patch gap,” a delay between a vendor’s patch release and its integration by downstream users. Although Google assures that the new policy won’t aid attackers, it hopes to prompt faster communication and patch development. The 90+30 disclosure policy remains, allowing 90 days for a vendor to fix the issue and 30 days for users to apply the patch once available. Early reports will exclude technical details to prevent misuse. The change is part of a broader effort to enhance security across enterprise systems, as zero-day vulnerabilities continue to pose significant risks. Project Zero will evaluate the impact of this policy change on the overall safety of digital ecosystems.
How does Project Zero’s new policy impact vulnerability disclosure?
