Google tweaks vulnerability disclosure policy

Google Security and Project Zero, the tech major’s security research team, has confirmed to disclose zero-day vulnerabilities only after the completion of a 90-day period, following harsh words from Microsoft and others over its bug disclosure policy

Google said: "Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well."

"We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix."

"We’ve chosen a middle-of-the-road deadline timeline and feel it’s reasonably calibrated for the current state of the industry."

The latest changes will provide software vendors with an additional 14-day grace period upon the initial 90-day time frame if a patch is set for launch during that two-week period.

The tech major added: "Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+)."

Google was recently slammed by Microsoft over publicly disclosing an unpatched bug in Windows 8.1, after Microsoft allegedly failed to fix the issue within a standard three month window.

Furthermore, Microsoft sought better co-ordination over software bug disclosures, within a week after it revealed plans to stop the pre-release of Patch Tuesday cybersecurity bulletins to the public.

Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *


  • Favorite list is empty.
FavoriteLoadingClear favorites

Your favorite posts saved to your browsers cookies. If you clear cookies also favorite posts will be deleted.