Google Project Zero has introduced a new policy aimed at reducing the upstream patch gap by informing the public that a vulnerability has been identified in a product.
The trial policy, called Reporting Transparency, does not impact Google’s 90-day disclosure deadline policy that has been in effect for years, and is expected to have no impact on the exploitation of new security defects.
Per the new policy, within one week of reporting a bug to a vendor, Google will publicly share that the flaw was reported, when the 90-day disclosure deadline expires, the affected product, and the name of the vendor or open source project.
“This trial maintains our existing 90+30 policy, meaning vendors still have 90 days to fix a bug before it is disclosed, with a 30-day period for patch adoption if the bug is fixed before the deadline,” Google underlines.
According to Google, the increased transparency should reduce the upstream patch gap, which is the period between the upstream vendor releasing a patch and downstream vendors incorporating it in their products.
“By providing an early signal that a vulnerability has been reported upstream, we can better inform downstream dependents. For our small set of issues, they will have an additional source of information to monitor for issues that may affect their users,” Google says.
The policy is expected to also improve the communication between upstream and downstream vendors, and the patch adoption for end users.
“This data will make it easier for researchers and the public to track how long it takes for a fix to travel from the initial report, all the way to a user’s device (which is especially important if the fix never arrives!),” the internet giant notes.
The trial will likely increase public attention to new vulnerabilities, but it will not help attackers, as no technical information, proof-of-concept (PoC) code, or other revealing details will be shared.
According to Google, the new policy may have an unwelcome effect on vendors without a downstream ecosystem, by attracting attention to issues only they can resolve, but these vendors account for a small fraction of the vulnerabilities reported by Project Zero.
“We believe the benefits of a fair, simple, consistent and transparent policy outweigh the risk of inconvenience to a small number of vendors,” Google notes.
Related: Tech Giants Propose Standard For End-of-Life Security Disclosures
Related: Financial Organizations Urge CISA to Revise Proposed CIRCIA Implementation
