Project Zero: Google Changes Vulnerability Disclosure Policy

Many of you may be familiar with Google's Project Zero. Generally described: If a security gap is detected, the creator of the team is informed. Then you have 90 days to close this security gap.

If the security gap is not closed, the technical details will be published. If the security gap is closed, the report will also be published. A 14-day grace period is allowed here. And this is where Google's Project Zero team corrects the 2020 guidelines.

From now on, if a security vulnerability has been fixed, the details will not be released until 30 days later. The aim is to give the users of the apps, programs, or operating systems the time to install the updates. In principle, as we already know from the Google Chrome security updates. You provide the heading for the gap but wait a while until most users have updated to the new Google Chrome version before the technical details are announced.

If a vulnerability was already "in-the-wild", i.e. available on the network and it was fixed within 7 days, the technical details had previously been published at the same time. Here, too, the description will only be published 30 days later.

How do I find a good decision from the Google team? Because not everyone updates their software immediately. There is a new regulation with the 30-day delay, which has been in force since April 16, 2021, to be viewed positively. If you want to read through the complete change, you will find the article on this page.

Post a Comment