Google softens controversial vulnerability disclosure policy

Google's security department has dialled down its vulnerability disclosure policy to give vendors some breathing space to release patches.

The move comes after Google was criticised by Microsoft and researchers for adhering strictly to a 90-day policy for disclosing vulnerabilities for its Project Zero security team, regardless of whether there was a vendor patch ready for the vulnerabilities being revealed.

In January this year, Project X disclosed three high-severity flaws in Apple's OS X operating system, leading one researcher to criticise Google for what he called "schoolboy antics".

Project Zero was formed last year and comprises some of the best known security researchers in the industry. It has discovered hundreds of vulnerabilities, most of which it claims were remedied within the 90 day deadline.

Those that weren't, such as a flaw in Apple's IOkit layer in the OS X operating system, were fixed very quickly after the deadline expired, Google said.

The 90-day deadline will remain, but Google has softened its stance by moving it forward in cases where the expiry date falls on a weekend or a United States public holiday.

Vendors can also apply for a fortnight's grace period if a patch is scheduled for release within 14-days of the deadline expiring, Google said.

Bugs and flaws will from now on always be assigned a Common Vulnerability and Exposures (CVE) identifier before publication of details, to prevent confusion.

The policy will apply to Google as a whole, along with Project Zero. Google's Chrome web browser and Android mobile operating system will be covered by the 90-day disclosure policy as well, a move that Google said demonstrated it treates all vendors equally.

Google insisted that the 90-day deadline was a good way to push vendors into earlier releases of patches.

It defended the disclosure policy by pointing to other organisations such as the Computer Emergency Readiness Team (CERT), which has a 45-day deadline, and Yahoo, which also publishes vulnerability details after 90 days.

"Disclosure deadlines have long been an industry standard practice. They improve end-user security by getting security patches to users faster," Project Zero boss Chris Evans wrote.