Google has added an extra 30-day period to its vulnerability disclosure cycle to allow customers more time to fix vulnerabilities before technical details are released.
The tech giant’s Project Zero team is a prolific researcher of industry vulnerabilities, and maintains a strict 90-day policy of public vulnerability disclosure after vendor notification, in order to pressure firms to issue patches quicker.
“In practice however, we didn't observe a significant shift in patch development timelines,” explained manager Tim Willis yesterday. “And we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch. In other words, the implied timeline for patch adoption wasn't clearly understood.”
The extra 30-day grace period before details are released will apply only to bugs that are fixed within the initial 90-day period. If an issue remains unpatched after 90 days, technical details are published immediately.
Google also added the 30-day period to patches for bugs being actively exploited in-the-wild against users. If an issue remains unpatched after seven days, technical details are published immediately, but if it’s fixed within a week, those details will now be published 30 days after the patch.
Willis maintained that early release of the details surrounding each bug ultimately benefits the defensive community and helps protect users, but he acknowledged that it also risks inviting opportunistic attacks.
“Moving to a ‘90+30’ model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” he concluded.