Google’s Project Zero security team has been a thorn in the side of software developers for 6 years now, frequently finding obscure bugs and then disclosing them before companies have been able to fix them.

Now the team has announced some changes to their disclosure policy designed to give software vendors more time to patch bugs in the installed base.

As noted in the table above, previously Google would disclose bugs as soon as a vendor fixed it, which may leave millions of unpatched systems vulnerable despite a fix being available.

Now Google will wait the full 90 days, which allows developers and IT admins to implement patches before the flaw is disclosed to hackers.

We have also seen that patches developed in haste by developers do not provide complete protection. Google will now deal with these incomplete fixes as part of the original bug report, rather than launch a new media cycle claiming a new vulnerability.

Hopefully, the change will lead to a safer internet with better patch development and implementation going forward.

Read more at the Project Zero blog here.

Via XDA-Dev

Comments