Google’s Project Zero program, which discloses exploits, security vulnerabilities and other series bugs, will test revised policies in 2020. With the new policies, Project Zero hopes to encourage companies to release more thorough patches. It also hopes to see wider adoption of said patches.
In a blog post about the changes, Project Zero notes that it’s spent the last five years trying to encourage faster patch development. Through the use of a 90-day disclosure deadline, noting that in 2014 some bugs needed upwards of six months to fix. In 2019, developers fixed 97.7 percent of bugs within the deadline. However, the program now wants to emphasize not just faster patch development, but more thorough patches that reach more users.
The biggest change in Project Zero’s policies is that the program will now wait the full 90 days to disclose a flaw instead of releasing the details once it’s fixed, even if a company fixes it well ahead of the deadline. This should give developers more time to distribute a patch to users and ensure that patch actually fixes the root issue of the problem, instead of just covering it over.
On the same note, if a fix is incomplete, Project Zero will report it to the developer and add it to the existing report. Previously, the program treated incomplete fixes as separate problems with their own deadlines. On top of this, Project Zero plans to open tracker reports the moment developers patch a flaw during the ‘grace period,’ a 14-day window to developers if they’ll barely miss the 90-day target. It will also open tracker reports for patches released on the 90th day, or earlier under mutual agreement with the developer.
Previously, Project Zero would open bugs fixed during the grace period to the public after the patch was released, or tracker reports were opened at researcher discretion after the deadline expired.
Project Zero plans to test the new policies throughout 2020, and if the results are favourable, it may make the new policies permanent.
For users, there may not be any immediately noticeable change. However, over time, it may mean that when Project Zero discloses a security flaw, the chances you’re already protected are much higher. That said, Project Zero’s insistence on a 90-day deadline and disclosure may still leave some users in the lurch by publicizing issues before developers patch them.