Google’s Project Zero team will disclose when vulnerabilities are found in companies‘ products within a week, though it will still wait up to 90 days to reveal details of those bugs.
To speed up patch rollouts, a Google security team is making a potentially controversial change to how it discloses software vulnerabilities.
The news comes from Google’s „Project Zero“, which is focused on uncovering previously unknown software bugs, also known as zero-days. The group used to give 90 days for a software vendor to patch a flaw before disclosing the vulnerability publicly. (If a vendor releases a patch, the disclosure will arrive 30 days later to give time for users to install it.)
Project Zero is now revising the team’s vulnerability disclosure policy, citing the need to pressure software vendors into better patch adoption. The 90-day disclosure practice remains in effect. But starting today, the team is going to share when it’s discovered a flaw—publicly stating the vendor’s name and product—within one week of reporting the problem to the software maker.
The new policy is now in effect on a trial basis, leading Project Zero to disclose it’s discovered two new vulnerabilities in Microsoft Windows, along with three flaws in Google’s “BigWave” product, possibly a reference to a video codec.
