Project Zero from Google is trying a new way to convince software providers to fix vulnerabilities more quickly, while simultaneously giving end users time to install updates. At first glance, the new approach seems absurd: the public must be informed later than before. But Google has thought something about it.
The “Project Zero” team at Google tracks weaknesses and errors in Google’s own programs as well as in programs developed by other companies. The security team will forward any vulnerabilities found directly to the provider. The program authors then have 90 days to correct the errors. So far, Google notified the public after 90 days. So far, Google has already published vulnerabilities that the attackers actively exploited after seven days.
The New Approach
To not actively exploit the vulnerabilities For now, Google continues to grant authors 90 days time. If they do not submit any corrections by then, the public will be informed immediately. However, if there is a patch, Google will wait 30 days for the update to be available before publicly disclosing the vulnerability. So it could take up to 120 days for the public to find out.
Software vendors can request an additional 14 days from Project Zero. Until then, the security team will announce in 120 days at the latest. Background This is the primary question of who will benefit the most from posts, users, or attackers. The question is old and cannot be answered universally.
Shorter deadlines are at severe risk
In the case of actively exploited security holes, Google gives service providers only seven days. Program authors can apply for a three-day extension. If there is no solution, Google immediately goes public.
However, if there is a fix within seven days, Google will wait another 30 days. So it could take up to 37 days for Google to inform the public about vulnerabilities that are actively exploiting.
Over time, Project Zero wants to gradually reduce deadlines to encourage vendors to offer faster security updates. For example, 90 + 30 days can become 60 + 30 days. First, however, Project Zero will assess the impacts of the new approach.