Announcement

Collapse
No announcement yet.

Google Relaxes Project Zero Bug Disclosure Policy

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Google Relaxes Project Zero Bug Disclosure Policy

    Companies working on a fix can now apply for a 14-day grace period after 90-day disclosure deadline

    The whole fracas over Google Project Zero team’s disclosure of three Windows zero-day bugs before Microsoft could fix them may now be old news, but it seems to have done enough to get the former to revisit its bug disclosure policy. Google’s bug hunters took to the official Project Zero blog on Friday to announce a number of key changes to their disclosure policy.
    While a large part of the blog post is dedicated to the importance of bug hunting and reporting programs having disclosure deadlines and how the outfit’s own 90-day deadline is “reasonably calibrated for the current state of the industry”, it ultimately concedes that Project Zero’s disclosure policy, as effective it is (over 85% bugs fixed within 90 days), could do with a few improvements. The outfit says it has “taken on board some great debate and external feedback around some of the corner cases for disclosure deadlines” and come up with a few policy improvements.
    The most notable of these policy updates is the provision of a 14-day grace period after the original disclosure deadline has expired: “If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” reads the blog post.
    And don’t you worry about Google having double standards (a concern we raised late last month): “As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy.”
    Follow Pulkit on Google+


    More...
    ClanofIdiots.com Administrator
    PcGamingNetworks.com Co-owner
    webmaster@clanofidiots.com
Working...
X