Google's Project Zero security team will wait an extra 30 days before disclosing vulnerability details so end-users have enough time to patch software, Google has announced. That means developers will still have 90 days to fix regular bugs (with a 14-day grace period if requested), but Google will wait an additional 30 days before disclosing the details publicly. For flaws being actively exploited in the wild (zero day), companies still have seven days to patch, with a three-day grace period on demand. However, Google will now wait 30 days before revealing the technical details.
Last year, Google allowed developers more time to fix bugs, hoping they would fix them quickly enough to allow end-users more time to patch. "In practice however, we didn't observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch," Project Zero's Tim Willis wrote.
Now, developers have the full 90- or seven-day periods to develop a patch, and end-users will have 30 days to apply the patch before disclosure. However, if the grace periods are requested, those will cut into the 30 day disclosure times, so bugs will always be revealed after 120 or 37 days, for regular and zero-day flaws — provided they're patched on time. If not patched on time, they'll be published in 90 and 7 days, respectively.
That will apply for 2021, but that could change next year. "Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines," the company said. For more, check out the Google Project Zero day blog.