Security Experts:

Google Updates Controversial Vulnerability Disclosure Policy

After being criticized by some members of the industry for its strict vulnerability disclosure policy, Google has decided to make some changes based on the feedback it has received.

Google’s Project Zero has given vendors a 90-day deadline to release patches for reported vulnerabilities before their details are made public. Many major organizations have similar policies, but the number of days can vary. For example, HP’s Zero Day Initiative (ZDI) has a 120-day policy, while the CERT Coordination Center at Carnegie Mellon University has a 45-day policy.

Google’s policy came into the spotlight late last year after Project Zero released the details of an unpatched privilege escalation vulnerability in Windows on December 29. In the following weeks, the company made available the details and proof-of-concept code for two additional Windows security flaws just before Microsoft was able to release a patch.

To avoid such situations from arising in the future, the search giant has decided not to disclose vulnerabilities on weekends and US public holidays. If the 90-day deadline is set to expire on weekends or holidays, the deadline will be moved to the next normal work day, Google said in a blog post on Friday.

Furthermore, the company is prepared to give vendors a grace period.

“If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+),” Google said.

Another change is related to Common Vulnerabilities and Exposures (CVE) identifiers. In an effort to avoid confusion, the company has promised to ensure that all vulnerabilities are assigned CVEs before their details are disclosed.

“As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Google expects to be held to the same standard; in fact, Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy,” Google noted.

Project Zero has reported a total of 154 flaws so far and 85% of them have been addressed within the 90-day deadline, Google said. For example, Adobe fixed all of the 37 Flash Player vulnerabilities reported by Project Zero researchers before the deadline expired.

Microsoft isn’t the only “victim” of Google’s strict disclosure deadline. In January, Project Zero also disclosed three vulnerabilities affecting Apple’s OS X operating system, just days before the company released security updates.

According to Google, we shouldn’t expect any other missed deadlines, at least not in February.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.