17 April 21, 08:02
Quote:Google Project Zero will now give organizations a 30-day grace period to patch zero-day flaws it discovers in a new disclosure policy revealed this week aimed at speeding up the time it takes for patches to be adopted.
Known for discovering a number of high-profile zero days—in Google’s own products as well as those found in rival Apple’s software—Project Zero last year began revealing the technical details of flaws its researchers discovered 90 days after the initial vulnerability report.
However, now research group is changing this tactic slightly, saying it will delay disclosure of the technical details of the vulnerability until 30 days after a patch is issued if that patch is created within the 90-day period, according to a blog post by Project Zero’s Tim Willis posted Thursday. “Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption,” he wrote.
Moving to this so-called “90+30 model” will allow researchers and the industry as a whole to “decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details, while advocating to reduce the amount of time that end users are vulnerable to known attacks,” Willis explained.
However, technical details of vulnerabilities that remained unpatched during the 90-day period after Project Zero discovers them still will be disclosed immediately after that grace period is up, according to the post.
Read more: Google Project Zero Cuts Bug Disclosure Timeline to a 30-Day Grace Period | Threatpost