Google's Project Zero to make faster vulnerability announcements

Google's elite bug hunters in the Project Zero team will from now on publicly share if they have discovered vulnerabilities within a week after reporting them to vendors, in a bid to "shrink the upstream patch gap", 

Project Zero defines the "upstream patch gap" as the period where an upstream vendor has a fix available, but downstream dependants haven't integrated it into their end product.

The new policy will be trialled as an effort to reduce the time for vulnerability fixes to reach end user devices, Project Zero security engineering manager Tim Willis wrote.

"For the end user, a vulnerability isn't fixed when a patch is released from Vendor A to Vendor B; it's only fixed when they download the update and install it on their device.

"To shorten that entire chain, we need to address the upstream delay."

The new policy will not change the 90+30 days allowance for vendor bug fixing plus patch adoption that Project Zero introduced in 2020.

Willis also said the change will also not help attackers, as Project Zero will not share technical details, proof of concept code, or other information it believes would materially assist discover until the deadline for fixing bugs has expired.

Security consultant Lee Barney welcomed Project Zero's disclosure policy changes.

"I am pleased to see leading tech companies like Google invest in security research and use their soft power to improve industry standards," Barney said.

More could be done however, including government becoming more active, Barney said.

"While Project Zero’s new approach to vulnerability disclosure increases transparency and puts greater pressure on vendors and manufacturers to act quickly, meaningful and lasting change across our supply chains requires stronger regulation from government—such as the recently introduced Australian Cyber Security Act for IoT devices," Barney said.

"Initiatives like Project Zero are an important force multiplier, but real progress depends on enterprises and governments working together to raise the bar."

Update Google spokesperson Carrie Jones said Project Zero has updated its blog announcing the disclosure policy changes to clarify that the policy isn't a super strict one week time limit, following iTNews enquiries.

"Our time frames are dependent on factors like time zones, and publication reviews," Jones said.

"For example, a report that lands quickly or after publication cut-off for a given week will take slightly longer than a week to appear," she added. 

Project Zero "has a long history of experimenting with disclosure policies, giving them room to innovate and learn what does and doesn't work," Jones explained, adding that the changes are lead by the security researchers.