Google Project Zero revises vulnerability disclosure policy: keep bug reports closed for 90 days
Google Project Zero recently announced on its official blog that it has made major adjustments to its vulnerability disclosure policy. The new policy will no longer “tolerate” those companies that are slow to fix bugs. From January 1, 2020, unless an agreement is reached with the enterprise in advance, the disclosure will occur 90 days after the vulnerability is submitted, regardless of whether the enterprise fixes the vulnerability.
The 90-day disclosure period of Google Project Zero has been in existence for five years. Although 99.7% of the vulnerabilities can be fixed within 90 days, there are still many vulnerabilities that are not fixed after 90 days.
The Google security team recognized the need for improvements in patch development and vulnerability management. In the past, when a vulnerability was patched within 90 days, details of the vulnerability allowed advance disclosure within 90 days. But in the new policy, regardless of whether the vulnerability is fixed, the details of the vulnerability must be disclosed after 90 days.
Google stated that this move is to provide the industry with a more fair and consistent vulnerability release mechanism. In addition to continuing to promote the speed of vulnerability patching, the new policy also expects patch development to be more thorough and update coverage more comprehensive. Google itself, to create a fair disclosure mechanism.
According to Tim Willis of Google Project Zero, a very common problem in the past was that manufacturers were blindly pursuing the speed of patching when they received vulnerability reports. This makes it easy for the attacker to adjust the way to continue the attack. Mandatory disclosure after 90 days of the new policy can effectively urge vendors to focus not only on the speed of patching vulnerabilities but also on user patch updates.
It is reported that Google will give the new policy a 12-month trial period, and then consider whether to switch to a long-term policy.