Google’s Project Zero adds a new 30-day grace period to encourage patching

Google’s security team “Project Zero” has taken a policy of always disclosing technical information details 90 days after notifying the vendor regarding the vulnerability information disclosure policy, but patch users To give some headroom, we will move to a new model with a 30-day grace period before disclosure of detailed information.

Provided by: The new model of Getty Images Project Zero does not change its policy of disclosing details after 90 days for vulnerabilities that were not published within 90 days, but if the patch is published within 90 days. , Technical details will be disclosed 30 days after the patch is released. Also, regarding the vulnerabilities already used in the actual attack, if the patch is not released within one week from the notification to the vendor, the technical details will be disclosed one week later, but seven days after the patch is notified. If published within, detailed information will be disclosed in 30 days. Vendors can now ask for a three-day grace period before the patch is released, even if the attack has already taken place. If Project Zero allows the vendor a grace period before the patch is released (up to 2 weeks if not abused, up to 3 days if abused), technical details will be disclosed during that period. It will eat up part of the 30-day grace period. In 2020, Project Zero introduced a new policy that always gives 90 days to disclose information. The purpose of this change was to improve the patching rate of users, but it was hard to say that this purpose was achieved. Project Zero manager Tim Willis said, “The idea behind this is that if vendors want more time for users to install patches, they will publish the patches as early as possible during the 90-day grace period. It was supposed to give priority to doing. ” “But in reality, the patch development schedule hasn’t changed much, and we’ll continue to disclose technical details about vulnerabilities and exploits with many users unpatched from vendors. We continued to receive feedback that we were concerned about, which meant that we didn’t clearly communicate our intention to be a timeline designed to facilitate patch adoption, “Willis said in the future. He explained that he plans to shorten the period of 90 days + 30 days set by this system, but first he had to start from the deadline that the vendor can handle at the moment. “According to data that tracks the time to patch release of a vulnerability we have, in 2022 the ’84 + 28′ model (by making the deadline divisible by 7 the final deadline,” he said. It’s likely that we’ll be able to move to (avoid unintentional weekends). ”