• Home
  • News
  • Reviews
  • Digital technology
  • Cloud
  • Data analytics
  • Digital leaders
  • IoT
  • Opinion
  • Events
  • Resources
  • SMB Spotlight
  • Newsletters
  • Sign in
  • Events
    • Follow V3 Events

      Sign up to receive email alerts about our events

      Sign up
  • Resources
    • V3resources 120x194
      Network Security Forensics For GDPR Compliance

      An effective network security forensics strategy can assist an organization in providing key compliance-related details as part of any post-incident GDPR investigation.

      Download
      V3resources 120x194
      10 ways to increase productivity with managed Office 365

      For businesses large and small, relying on a cloud-based collaboration and productivity suite such as Microsoft Office 365 is becoming the norm. Enhancing productivity in your organisation is vital to get ahead in 2017 - and using Office 365 can help, if it's used right...

      Download
      Find resources
      Search by title or subject area
      View all resources
  • SMB Spotlight
  • Sign in
  •  
    •  

      You are currently accessing V3 .co.uk via your Enterprise account.

      Personalise your on site experience

      Download and use the apps

      Access your subscription from outside of the office

      Get relevant news and insight straight to your inbox

      • Sign in
     
      • Newsletters
      • Account details
      • Contact support
      • Sign out
     
  • Follow us
    • RSS
    • Twitter
    • Newsletters
    • Facebook
    • YouTube
  • Register
  • News
  • Reviews
  • Digital technology
  • Cloud
  • Data analytics
  • Digital leaders
  • IoT
  • Opinion
 
  •  

    You are currently accessing V3 .co.uk via your Enterprise account.

    Personalise your on site experience

    Download and use the apps

    Access your subscription from outside of the office

    Get relevant news and insight straight to your inbox

    • Sign in
 
    • Newsletters
    • Account details
    • Contact support
    • Sign out
 
V3.co.uk
  • Security

Google amends bug disclosure policy following Apple and Microsoft scuffle

Project Zero to offer 'grace period' after 90-day patch deadline

Google logo (Robert Scoble Flickr)
Google Project Zero promises to play nice with public disclosure policy
  • Alastair Stevenson
  • Alastair Stevenson
  • @MonkeyGuru
  • 16 February 2015
  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
0 Comments

Google's Project Zero has softened its 90-day disclosure policy following criticism of the public posting of bugs in Apple and Microsoft systems.

Project Zero will not now count US public holidays in the 90-day countdown, and will offer companies actively working on a fix a 14-day "grace period" after the cut off.

"If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch," read the Google advisory.

"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (two weeks plus)."

Project Zero added that it will begin pre-assigning CVE threat identification codes to all vulnerabilities discovered ahead of the 90-day deadline in a bid to further aid the patching process.

Google launched Project Zero in July 2014 as a way to improve global security levels.

The team's researchers focus on finding and disclosing previously unknown security bugs. The disclosure is initially private and firms are given 90 days to release a fix before the research is made public.

However, Project Zero courted controversy when it publicly disclosed flaws in Microsoft's Windows 8.1 and Apple's Mac OS X operating systems.

Google moved to address these concerns, arguing that it may have applied the policy too rigorously but that public disclosure is effective.

"For example, the Adobe Flash team probably has the largest install base and number of build combinations of any of the products we've researched so far," read the blog post.

"To date, they have fixed 37 Project Zero vulnerabilities (or 100 percent) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85 percent were fixed within 90 days.

"Furthermore, recent well-discussed deadline misses were typically fixed very quickly after 90 days. Looking ahead, we're not going to have any deadline misses for at least the rest of February.

"Deadlines appear to be working to improve patch times and user security, especially when enforced consistently."

Google is one of many companies debating its threat disclosure practices. Microsoft controversially announced plans to stop offering non-paying customers advanced patch notifications on 9 January.

  • Tweet  
  • Facebook  
  •  
  •  
  • Send to  
  • Topics
  • Security
  • Google
  • Microsoft
  • Apple
  • security patches
  • Windows 8
  • Mac OS
  • Hacking

V3 Latest

'Money Saving Expert' Martin Lewis sues Facebook for defamation over 'fake ads'
'Money Saving Expert' Martin Lewis sues Facebook for defamation over 'fake ads'

TV presenter and consumer rights campaigner Martin Lewis takes on Facebook over defamatory ads

  • Internet
  • 23 April 2018
AMD Ryzen CPU release dates, specs and price: AMD hints at Ryzen 7 2800X plan to counter 8-core Intel Coffee Lake CPUs
AMD Ryzen CPU release dates, specs and price: AMD hints at Ryzen 7 2800X plan to counter 8-core Intel Coffee Lake CPUs

AMD believed to be holding Ryzen 7 2800X in reserve

  • Processors
  • 23 April 2018
BT plan to close down conventional fixed-line phone network by 2025 and go all-IP
BT plan to close down conventional fixed-line phone network by 2025 and go all-IP

BT wants to make the public switched telephone network history within eight years

  • Communications
  • 20 April 2018
Facebook Login hijacked by hidden web trackers, claim security researchers
Facebook Login hijacked by hidden web trackers, claim security researchers

Personal data being purloined by third parties via Facebook Login API

  • Security
  • 20 April 2018
Back to Top

Most read

Oracle: Java SE 8 business users must buy a licence from January next year
Oracle: Java SE 8 business users must buy a licence from January next year
Scientists uncover new battery chemical with 50 percent more storage capacity
Scientists uncover new battery chemical with 50 percent more storage capacity
Former spies are scraping Facebook data to build a massive facial recognition database
Former spies are scraping Facebook data to build a massive facial recognition database
BT plan to close down conventional fixed-line phone network by 2025 and go all-IP
BT plan to close down conventional fixed-line phone network by 2025 and go all-IP
Microsoft announces Azure Sphere to fight security threats hitting IoT devices
Microsoft announces Azure Sphere to fight security threats hitting IoT devices
  • Contact
  • Marketing solutions
  • Enterprise IT Events
  • About
  • Terms & conditions
  • Privacy policy
  • RSS
  • Twitter
  • Newsletters
  • Facebook
  • YouTube

© Incisive Business Media (IP) Limited, Published by Incisive Business Media Limited, New London House, 172 Drury Lane, London WC2B 5QR, registered in England and Wales with company registration numbers 09177174 & 09178013

Digital publisher of the year
Digital publisher of the year 2010, 2013, 2016 & 2017