Project Zero from Google is a crew of security engineers that have the dedicated task of decreasing vulnerabilities called “zero-day”, across the whole internet. The team stated that developers will be given another 30 days before revealing issues of vulnerability. This provides time for end-users to get their software patched.
The Goal Of Project Zero
Developers are still going to get 90 days for addressing and fixing bugs. However, Project Zero is going to wait a further 30 days until the team discloses all the details regarding the bug to the public. As such, if any flaws are being actively abused on the net, a company is going to have a week to patch the issue. They can also request a grace period of three days. However, Project Google is not going to go public with the technical details before 30 days have passed.
In 2020, a trial was announced by Google that would give 90 days to developers to implement development and adoption of patches. This included the thought that if any dev desired additional time to let users install the patch, they would provide the patch earlier on during the period of 90 days.
However, Tim Willis, of Project Zero, remarked that in reality, they did not observe any significant shift in the timelines of patch development. Moreover, the team had reportedly continued receiving feedback from several vendors about concerns regarding technical details being publicly released before a patch was installed by most users. This is to say that the developers had failed to understand the implied patch adoption timeline.
As such, the goal for this update is to set the timeline for patch adoption as explicit to its policy of vulnerability disclosure. As such, the new policy of 90+30 days should provide vendors with more time than the previous police. After a comfortable starting point is chosen, the team will seek to lower the timelines gradually.