Google amends bug disclosure policy following Apple and Microsoft scuffle

Google's Project Zero has softened its 90-day disclosure policy following criticism of the public posting of bugs in Apple and Microsoft systems.

Project Zero will not now count US public holidays in the 90-day countdown, and will offer companies actively working on a fix a 14-day "grace period" after the cut off.

"If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch," read the Google advisory.

"Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (two weeks plus)."

Project Zero added that it will begin pre-assigning CVE threat identification codes to all vulnerabilities discovered ahead of the 90-day deadline in a bid to further aid the patching process.

Google launched Project Zero in July 2014 as a way to improve global security levels.

The team's researchers focus on finding and disclosing previously unknown security bugs. The disclosure is initially private and firms are given 90 days to release a fix before the research is made public.

However, Project Zero courted controversy when it publicly disclosed flaws in Microsoft's Windows 8.1 and Apple's Mac OS X operating systems.

Google moved to address these concerns, arguing that it may have applied the policy too rigorously but that public disclosure is effective.

"For example, the Adobe Flash team probably has the largest install base and number of build combinations of any of the products we've researched so far," read the blog post.

"To date, they have fixed 37 Project Zero vulnerabilities (or 100 percent) within the 90-day deadline. More generally, of 154 Project Zero bugs fixed so far, 85 percent were fixed within 90 days.

"Furthermore, recent well-discussed deadline misses were typically fixed very quickly after 90 days. Looking ahead, we're not going to have any deadline misses for at least the rest of February.

"Deadlines appear to be working to improve patch times and user security, especially when enforced consistently."

Google is one of many companies debating its threat disclosure practices. Microsoft controversially announced plans to stop offering non-paying customers advanced patch notifications on 9 January.

• Tweet  
• Facebook  
•  
•  
• Send to  

• Topics
• Security
• Google
• Microsoft
• Apple
• security patches
• Windows 8
• Mac OS
• Hacking