From now on, software developers no longer have to fear that their users will have too little time to carry out an update that resolves a vulnerability. From now on, Google Project Zero will use a fixed number of days (ninety) before it reports that a defect has been found.
Previously, Project Zero also gave developers ninety days, but it could still be the case that before that time a vulnerability was found. If a developer rolled out an update that solved such a vulnerability, the ninety-day deadline for waiting automatically disappeared as well.
This could lead to a situation where users hardly had time to update a program, but malicious parties did know that there was a vulnerability that was resolved with a new update. By actually waiting ninety days from the moment a vulnerability was raised, Project Zero hopes to prevent such cases in the future.
However, if both the developer and Project Zero agree, it may be possible to reveal earlier that a vulnerability has been found. In addition, it is also possible for devs to request an extension of the period from Google, should the rollout of an update take more time. Instead of ninety days, developers will get 114.
According to Project Zero Manager Tim Willis, this extension should ensure that developers use the extra time to come up with a better solution, rather than opting for a rushed solution.