Google’s Project Zero will wait longer to disclose security vulnerabilities

Google’s Project Zero security team will wait an additional 30 days before disclosing details of the vulnerability so that end users have sufficient time to patch the software, Google has said. ad. This means developers will have another 90 days to fix regular bugs (with a 14-day grace period if requested), but Google will wait an additional 30 days before disclosing details publicly. For actively exploited vulnerabilities in the wild (day zero), companies still have seven days to correct, with a three-day grace period on request. However, Google will now wait 30 days before revealing technical details.

Last year, Google gave developers more time to fix bugs, hoping they would fix them quickly enough to give end users more time to fix. “In practice, however, we haven’t seen any significant change in patch development timelines, and we have continued to receive feedback from vendors that they are concerned about publicly releasing technical details of vulnerabilities and exploits. before most users have installed the patch, ”Project Zero Tim Willis wrote.

Now developers have 90 or seven days to develop a patch, and end users will have 30 days to apply the patch before disclosure. However, if grace periods are requested, these will be shortened within the 30-day disclosure timelines, so bugs will still be revealed after 120 or 37 days, for regular and zero-day vulnerabilities – provided that ‘they are corrected in time. If they are not corrected on time, they will be published in 90 and 7 days respectively.

This will apply in 2021, but that could change next year. “Our preference is to pick a starting point that can be consistently met by most vendors, and then gradually reduce the time it takes to develop and adopt patches,” the company said. For more information, consult the Google Project Zero Day Blog.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through any of these links, we may earn an affiliate commission.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *