Google revises Disclosure Policy to help improve patch adoption

Google's Project Zero will not share technical details of the bug for 30 days if a vendor fixes the vulnerability within a 90-day deadline

Google's Project Zero team has announced it is moving to a '90+30' model in its vulnerability disclosure policy, to help speed users' adoption of patches.

Tim Willis, Google Project Zero manager, said that the group will not share technical details of security bugs for 30 days, if a vendor patches the vulnerability before 90 days have passed.

"Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption," Willis wrote in a blog post.

In the case of zero-day bugs, technical details will not be shared for 30 days if the bug is fixed before the seven-day deadline.

Willis said that the extra days are aimed at user patch adoption.

Provided both parties agree, Google can open bug reports to the public before 90 days are up. For example, some vendors may want to synchronise the opening of Google's tracker report with their release notes, to minimise confusion for users.

However, if a bug remains unpatched, Google will release the technical details into the public domain immediately after the after the 90-day (or seven-day, in the case of zero-days) deadline.

Vendors may also request a 14-day grace period from Project Zero team, or three days for zero-day bugs.

Google says the aim of the revising its disclosure policy is to reduce the time that vendors take to fix vulnerabilities and to improve industry benchmarks on disclosure timeframes. The group hopes that the changes will ensure comprehensive fixes, and also cut the time between a patch rollout and user adoption.

Willis said that the new '90+30' policy will give vendors more time than they have now, and that "jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive."

"Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines."

Project Zero last updated its disclosure policy in January 2020, when the group announced that it would wait for at least 90 days before publicly revealing the details of a security bug, even if the bug was fixed ahead of that deadline.

Prior to that, bug details were revealed after completion of the 90-day deadline, or after the release of the patch, whichever came first.

The team said that the changes were made to give vendors more time to create 'thorough' patches for security flaws.