Google's Project Zero firms up 90-day disclosure policy

Google's Project Zero bughunting team has modified its controversial vulnerability disclosure policy, and will from now on release all details on flaws a full 90 days after reporting by default.

This is regardless of when the bug is fixed unlike last year, when Project Zero would agree to earlier disclosure before the 90-days was up if a patch was out, at the researchers' discretion.

From now on, earlier disclosure is by mutual agreement between Project Zero and vendors.

The prior disclosure policy also had inconsistent handling of incomplete fixes.

They were either filed as separate vulnerabilities or added to existing reports, at the discretion of the researchers.

Now, incomplete fixes will be reported to vendors and added to the existing reports, even if they're public, and the deadline won't be extended.

Vulnerabilties that are exploited in the wild will be disclosed after seven days, which is the same as before.

Project Zero said that the aim of the policy change is to have faster and more thorough patch development, with improved fix adoption.

This is a more ambitious overall policy goal than just faster patch development, which is what Project Zero has aimed for until now.

Project Zero wants to make attacks with zero-day exploits more costly. Faster development and deployment of patches form part of that goal. 

The offensive vulnerabiltiy research team started in 2014, and copped flak from vendors and other researchers soon after for its strict 90-day disclosure policy.

Project Zero softened the 90-day policy somewhat in 2015, allowing for public holidays, weekends and vendors applying for a grace period if a patch is to be released within 14 days of expiry of the deadline.

The new policy will be trialled for 12 months and reviewed after that to consider if should be in effect long term.