Project Zero grants a 30-day period before security issues are detected


Project Zero from Google, a team of professional security engineers tasked with reducing the number of vulnerabilities around the entire internet, revealed that it will give developers an additional 30 days before revealing vulnerabilities in order to give end users time to correct their programs, according to the verege.

Developers will still have 90 days to fix bugs, but Project Zero will wait another 30 days before publicly disclosing details of the bug, and if a flaw is actively exploited, the company will have seven days to issue a patch and a three-day grace period if requested, but Google Project Zero He will wait 30 days before revealing technical details.

Google announced in 2020 a beta to allow developers 90 days to work on developing and approving the patch with the idea that if a developer wanted more time to allow users to install a patch, they would ship the fixes in as early as 90 days.

In practice, however, Tim Willis said in the blog post for Project Zero, “We haven’t noticed a major shift in patch development timelines, and continue to receive feedback from vendors who were concerned about publicly releasing technical details about vulnerabilities and exploiting vulnerabilities before most users installed Correction “.

Willis said the goal of the 2021 update is to make the schedule for adopting the patch an explicit part of the vulnerability disclosure policy.

“The 90 plus 30 vendors policy gives more time than our current policy, as jumping straight to the 60 plus 30 (or similar) policy is likely to be very surprising and upset,” he added. “We prefer to choose a starting point that most sellers can consistently meet.” Then cut back the patch development timelines and gradually adopt the correction.


Please enter your comment!
Please enter your name here