Google amends bug disclosure policy following Apple and Microsoft scuffle
Project Zero to offer 'grace period' after 90-day patch deadline
Google's Project Zero has softened its 90-day disclosure policy following criticism of the public posting of bugs in Apple and Microsoft systems.
Project Zero will not now count US public holidays in the 90-day countdown, and will offer companies actively working on a fix a 14-day "grace period" after the cut off.
"If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch," read the Google advisory.
"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (two weeks plus)."
Project Zero added that it will begin pre-assigning CVE threat identification codes to all vulnerabilities discovered ahead of the 90-day deadline in a bid to further aid the patching process.
Google launched Project Zero in July 2014 as a way to improve global security levels.
The team's researchers focus on finding and disclosing previously unknown security bugs. The disclosure is initially private and firms are given 90 days to release a fix before the research is made public.
However, Project Zero courted controversy when it publicly disclosed flaws in Microsoft's Windows 8.1 and Apple's Mac OS X operating systems.
Google moved to address these concerns, arguing that it may have applied the policy too rigorously but that public disclosure is effective.
"For example, the Adobe Flash team probably has the largest install base and number of build combinations of any of the products we've researched so far," read the blog post.
"To date, they have fixed 37 Project Zero vulnerabilities (or 100 percent) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85 percent were fixed within 90 days.
"Furthermore, recent well-discussed deadline misses were typically fixed very quickly after 90 days. Looking ahead, we're not going to have any deadline misses for at least the rest of February.
"Deadlines appear to be working to improve patch times and user security, especially when enforced consistently."
Google is one of many companies debating its threat disclosure practices. Microsoft controversially announced plans to stop offering non-paying customers advanced patch notifications on 9 January.
V3 Latest
Scientists uncover 'strongest material in universe', and name it nuclear pasta
Found by calculating the strength of the material deep inside the crust of neutron stars
MIT boffins develop system that can recognise speech and objects at the same time
Can highlight in real-time the relevant regions of an image being described
Latest Tesla news: Tesla to face criminal investigation over Elon Musk's Tesla privatisation tweets
Double legal trouble for Musk as he also faces civil lawsuit over renewed British pot-holer 'paedo' claims
Researchers develop tech to boost the performance of lithium metal batteries
Battery development could help boost performance of smartphones
Most read
