Google Project Zero To Extend Disclosure Deadlines


Google softens stance after Microsoft controversy but says deadlines are making users safer

Google has defended its policy of automatically publishing zero-day vulnerabilities discovered by its Project Zero team after 90 days, but has promised to offer up to two weeks grace if a vendor notifies the search giant that a patch is in the works.

Microsoft has been critical of Google for publishing details of two vulnerabilities arguing that such disclosures harmed end users by offering attackers information about potential flaws that could be exploited.

The Windows developer added that Google had refused to delay the disclosure despite knowing that a patch was in development.

Project Zero deadlines

GoogleHowever Google says that 85 percent of the flaws uncovered by Project Zero have been patched within the 90 day deadline, a figure which has increased to 95 percent since 1 October 2014. The company claims it notifies vendors immediately of any bugs in a bid to protect users.

“Disclosure deadlines have long been an industry standard practice. They improve end-user security by getting security patches to users faster,” said Project Zero in a blog post. “Deadlines also acknowledge an uncomfortable fact that is alluded to by some of the above policies: the offensive security community invests considerably more into vulnerability research than the defensive community. Therefore, when we find a vulnerability in a high profile target, it is often already known by advanced and stealthy actors.

“Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. We’ve chosen a middle-of-the-road deadline timeline and feel it’s reasonably calibrated for the current state of the industry.

A few caveats

“Deadlines appear to be working to improve patch times and end user security — especially when enforced consistently.

Despite this, it says it will extend the 90 day deadline if it falls on a weekend or a US public holiday or by up to 14 days if a vendor notifies it that a patch is in the works and that it will be released before that extended deadline. Ultimately though, Google says it reserves the right to change deadlines as it sees fit.

“As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.”

 How well do you know the history of Windows? Take our quiz!