Google has defended its policy of automatically publishing zero-day vulnerabilities discovered by its Project Zero team after 90 days, but has promised to offer up to two weeks grace if a vendor notifies the search giant that a patch is in the works.
Microsoft has been critical of Google for publishing details of two vulnerabilities arguing that such disclosures harmed end users by offering attackers information about potential flaws that could be exploited.
The Windows developer added that Google had refused to delay the disclosure despite knowing that a patch was in development.
“Disclosure deadlines have long been an industry standard practice. They improve end-user security by getting security patches to users faster,” said Project Zero in a blog post. “Deadlines also acknowledge an uncomfortable fact that is alluded to by some of the above policies: the offensive security community invests considerably more into vulnerability research than the defensive community. Therefore, when we find a vulnerability in a high profile target, it is often already known by advanced and stealthy actors.
“Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. We’ve chosen a middle-of-the-road deadline timeline and feel it’s reasonably calibrated for the current state of the industry.
“Deadlines appear to be working to improve patch times and end user security — especially when enforced consistently.
Despite this, it says it will extend the 90 day deadline if it falls on a weekend or a US public holiday or by up to 14 days if a vendor notifies it that a patch is in the works and that it will be released before that extended deadline. Ultimately though, Google says it reserves the right to change deadlines as it sees fit.
“As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.”
How well do you know the history of Windows? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…