All News

Google’s Project Zero Now Giving Vendors 90-Day Grace Period

Google’s Project Zero Now Giving Vendors 90-Day Grace Period

Googles Project Zero Now Giving Vendors 90 Day Grace Period

Most vendors know that no matter how hard they try, sometimes their software might have a vulnerability they never foresaw, and in today’s world, trying to keep ahead of the hackers can be a round the clock job. Google’s Project Zero seems to recognize this, and they’re giving a grace period for vendors to get their act together and plug those holes rather than just immediately making the vulnerability public knowledge. Some of the larger companies, like Microsoft, have come into their cross hairs.

Google’s Project Zero, a vulnerability-catching and disclosure program that’s surely been a bit of a pain in the butt to those called out by its team of exploit researchers, typically has a 90-day disclosure policy for the issues it brings to light.

By that, we mean that Google will notify a vendor immediately whenever it finds a critical exploit in a vendor’s software. Once that happens, however, the clock starts ticking. After 90 days, Google publishes the vulnerability for all to see—ideally, the threat of public disclosure is half a bit of public shaming, and half encouragement in a “you should really get this patched up before more creative people take advantage of this exploit” kind of way.

Google, however, has decided to relax that previously stringent 90-day policy just a little bit—likely the result of some vendors expressing a bit of displeasure with Project Zero’s inflexible deadlines.

“While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies.When finders release proof-of-concept exploit code, or other information publically before a solution is in place, the risk of attacks against customers goes up,” said Chris Betz, senior director of Microsoft’s Security Response Center, in a statement to ComputerWorld.

microsoft bugs vulnerabilities google project zero uncovered

Microsoft, to note, was burned a bit by Project Zero back in January, when Google publicly revealed a Windows vulnerability all of two days before Microsoft was planning to patch it in an update. Microsoft had even let Google know of this fact—that the patch was arriving as part of the company’s typical “Patch Tuesday” update cycle. At the time, Betz described the reveal as a “gotcha”—”with customers the ones who may suffer as a result.”

Google’s new changes include allowing for weekends and holidays—specifically, if a 90-day deadline is supposed to expire on one of these kinds of dates, Google will bump it up to the next possible work day. Additionally, Google will give vendors a 14-day grace period if they let Google know that they’re planning to release a patch for an issue on a specific day following the expiration of the normal 90-day deadline.

“Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” reads a Google blog post.

“As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy,” Google adds.

Click to add a comment
All News
@movietvtechgeek

Jeffrey Lang has joined Movie TV Tech Geeks for 2015 and will be providing his opinion on technology from across the pond in London. Along with having many opinions on tech, gadgets, games, etc., he enjoys watching the Thames from our satellite office there.

More in All News

size matters to white house press secretary sean spicer 2017 images

Size matters to White House Press Secretary Sean Spicer

MTTG StaffJanuary 21, 2017
obamacare just how does donald trumps executive order affect it 2017 images

Obamacare: Just how does Donald Trump’s executive order affect it?

MTTG StaffJanuary 21, 2017
nfl wants chargers to stay in san diego 2017 images

NFL wants Chargers to stay in San Diego

Chris MauriceJanuary 21, 2017
Doug Adler, Venus Williams and the 2017 Australian Open controversy images

Doug Adler, Venus Williams and the 2017 Australian Open controversy

Shane LambertJanuary 21, 2017
NFL Playoffs when kickers really matter 2017 images

NFL Playoffs: When kickers really matter

Luka AlarioJanuary 21, 2017
nfl final 4 qbs health final road to super bowl 51 2017 images

NFL Final 4 QBs health is final road to Super Bowl 51

MTTG StaffJanuary 21, 2017
atlanta falcons earn their way into patriots steelers and packers territory 2017 images

Atlanta Falcons earn their way into Patriots, Steelers and Packers territory

MTTG StaffJanuary 21, 2017
grigor dimitrov takes out richard gasquet at australian open 2017 images

Grigor Dimitrov takes out Ricahrd Gasquet at Australian Open

Luka AlarioJanuary 21, 2017
rafael nadal knocks out zverev for australian open 4th round 2017 images

Rafael Nadal knocks out Zverev for Australian Open 4th Round

Luka AlarioJanuary 21, 2017

Subscribe to our Daily Newsletter

You will only receive one per day. You'll also get a free THE WALKING DEAD graphic novel with your subscription