Google has announced that it is to relax its previously rigidly-enforced 90-day Project Zero deadline, following considerable backlash from its disclosure of unpatched vulnerabilities in Microsoft's Windows and Apple's OS X operating systems.
Part of the advertising giant's Security Research arm, Project Zero aims to find zero-day vulnerabilities - security flaws in software and hardware which are not yet publicly known and for which no patch exists - and report them to the relevant vendors for repair. While the team practices a form of responsible disclosure by keeping details of the vulnerabilities private and reporting them directly to the maintainers of the software, the layer of privacy comes with a deadline: 90 days after the flaw has been discovered and reported, its details will be made publicly available whether or not a patch has been developed and distributed.
The result of that approach is that vendors who drag their heels releasing a patch can find themselves with a zero-day vulnerability becoming public knowledge to the detriment of their customers. Google came under fire earlier this year when the 90-day deadline ran out on a
zero-day Windows 8.1 vulnerability, which was closely followed by additional unpatched vulnerabilities in Windows and Apple's OS X operating systems. '
Project Zero believes that disclosure deadlines are currently the optimal approach for user security - it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face,' the Google team claimed at the time. '
By removing the ability of a vendor to withhold the details of security issues indefinitely, we give users the opportunity to react to vulnerabilities in a timely manner, and to exercise their power as a customer to request an expedited vendor response.'
Now, the team has announced a change to its approach. While the 90-day deadline will remain in place, it is to get a bit of flexibility that will see vendors able to apply for a 14-day grace period if a patch is due to roll out within two weeks of the original deadline date. Deadlines that are due to expire on a weekend or US public holiday are to also receive a short extension, until the next normal working day.
'
Putting everything together, we believe the policy updates are still strongly in line with our desire to improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline, the group claimed in its
announcement, which also contained facts and figures revealing that 85 per cent of Project Zero vulnerabilities were fixed by the relevant vendors within the 90 day period and no further deadline misses are expected this month.
Want to comment? Please log in.