Google Project Zero changes rules on revealing cyberattacks

News
By
published

Companies will now get a full 90 days before vulnerabilities are disclosed

Zero-day attack
(Image credit: Shutterstock) (Image credit: Shutterstock.com)

Google's Project Zero has revealed that it will be trialing a new policy where the security team will give companies a full 90 days before disclosing issues in their systems or software.

The search giant's team of security analysts is well regarded for discovering major vulnerabilities but it has received criticism from others in the industry for its relatively fast disclosure times. The new disclosure policy aims to fix this while also holding companies more accountable for how they patch security issues.

The manager of Project Zero at Google, Tim Willis explained in a blog post that while the team may be making changes to its disclosure policy, it has yielded impressive results over the last five years, saying:

“We're very happy with how well our disclosure policy has worked over the past five years. We've seen some big improvements to how quickly vendors patch serious vulnerabilities, and now 97.7% of our vulnerability reports are fixed within our 90 day disclosure policy.”

Disclosure policy changes

After reviewing its topic disclosure policy, Project Zero has announced that it will be making some changes in 2020 including that fact that all companies will be given a “full 90 days by default, regardless of when the bug is fixed”. However, if there is an agreement between a vendor and Project Zero, bug reports can be published before the 90 day deadline is up.

Google's security team will also now work to encourage companies to create patches that are more thorough and to improve adoption within the 90 day period. In the past, Project Zero's goal of “faster patch development” may have led vendors to patch vulnerabilities by “papering over the cracks” without addressing the root cause of a vulnerability and the changes to its disclosure policy aim to rectify this.

Project Zero also intends to work to improve timely patch adoption so that end users can actually benefit from bugs being fixed.

Google plans to trial the new policy for 12 months before it decides whether to “change it long term”.

Via 9to5Google

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Woman shocked by online scam, holding her credit card outside
Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Woman using iMessage on iPhone
UK government guidelines remove encryption advice following Apple backdoor spat
Cryptocurrencies
Ransomware’s favorite Russian crypto exchange seized by law enforcement
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
HTTPS in a browser address bar
Malicious "polymorphic" Chrome extensions can mimic other tools to trick victims
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Latest in News
A collage of Ellie and Joel in The Last of Us season 2
The Last of Us season 2's new trailer teases a huge showdown between Bella Ramsey's Ellie and Pedro Pascal's Joel, but the big moment I'm waiting for is still being held back
Apple iPhone 16 Pro Max REVIEW
New iPhone 17 Air leak may have revealed some key specs – and how it compares to the iPhone 17 Pro Max
Gaming with AI
I asked Gemini to play a text-based adventure game with me and the AI whisked me away to a word-based fantasy
Apple iPhone 16 Review
Three iPhone 17 model dummy units appear in a hands-on video leak
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
New Samsung Galaxy S25 Edge may have revealed some key details – including its price
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 10 (game #1141)
More about security
Woman shocked by online scam, holding her credit card outside

Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
Cryptocurrencies

Ransomware’s favorite Russian crypto exchange seized by law enforcement
Gaming with AI

I asked Gemini to play a text-based adventure game with me and the AI whisked me away to a word-based fantasy
See more latest
Most Popular
Gaming with AI
I asked Gemini to play a text-based adventure game with me and the AI whisked me away to a word-based fantasy
A collage of Ellie and Joel in The Last of Us season 2
The Last of Us season 2's new trailer teases a huge showdown between Bella Ramsey's Ellie and Pedro Pascal's Joel, but the big moment I'm waiting for is still being held back
Molecular hard drive
Chinese researchers are looking to create a revolutionary type of hard drive based on organic materials but huge unknowns remain
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 10 (game #1141)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 10 (game #372)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 10 (game #638)
Apple iPhone 16 Pro Max REVIEW
New iPhone 17 Air leak may have revealed some key specs – and how it compares to the iPhone 17 Pro Max
Dynabook Portégé Z40L-N
Dynabook's newest laptop has a 4-year warranty, a swappable battery, a weight of under 1 kg, and even a LAN port
Cortical Labs CL1
A breakthrough in computing: Cortical Labs' CL1 is the first living biocomputer and costs almost the same as 'Apple's best failure'
Workplace AI Adoption
ChatGPT remains the most popular AI tool in offices worldwide, survey finds, with India leading the way