Google’s Project Zero Security team will wait an additional 30 days before disclosing vulnerabilities so that end users have enough time to patch the software, Google Announcement. This means it will still take 90 days for developers to fix regular bugs (including a 14-day grace period if requested), but Google will wait an additional 30 days before releasing details publicly. For actively exploiting (zero days) errors in the wild, agencies still have seven days to patch, with a three-day grace period. But Google will wait 30 days before releasing the technical details.
Last year, Google allowed developers more time to fix bugs, in the hope that they would allow end users more time to patch so they could fix them quickly. “In reality, however, we have not observed a significant shift in the patch development timeline, and most users continue to receive feedback from vendors concerned about disclosing technical details about vulnerabilities and exploits before installing patches,” wrote Team Willis of Project Zero.
Now, developers have a full 90- or seven-day time limit to develop a patch, and end-users must have 30 days to apply the patch before publishing. However, if grace periods are requested they will be cut within 30 days of publication, so bugs for regular and zero day errors will always be published after 120 or 37 days – but they patch in time. If not patched in time, they will be released within 90 and 7 days, respectively.
It will be applied for 2021, but that may change next year. “Our priority is to choose a point that can be met by most vendors on a regular basis and then gradually reduce both patch development and patch adoption timelines,” the company said. For more, see Google Project Zero Day Blog.
All products offered by Engadget are selected by our editorial team, different from our parent company. Some of our stories include approved links. If you purchase something through one of these links, we can earn an approved commission.