Google Project Zero has added a 30-day period to the 90-day period in which it releases details of zero-days. The initiative still gives companies 90 days to release patches, but users will then have 30 days to install them.
In a blog post, Project Zero says that the initiative is adjusting its Disclosure Policy to reduce the time it takes to patch vulnerabilities. The initiative also wants to give companies a chance to develop better patches and give users a better chance to install the patch.
In the old policy, Project Zero gave companies 90 days to install and release a patch. Even if the patch was ready earlier or later than those 90 days, the technical details of a zero-day found were shared after 90 days. If necessary, this could be extended by 14 days if the patch could be ready within a maximum of 104 days. However, this led to patches often coming out at the last minute and users having little time to actually install them.
90 + 30 days
To avoid this situation, Google has decided to postpone the publication of details about a zero-day until 30 days after a patch has been released. Companies will still have 90 days to develop a patch, but if the patch is not available by then, technical details about the zero-day will be made public immediately. If a company releases a patch on day 90, the technical details are published 120 days after the initial discovery. Under the new policy, a two-week extension can also be requested. In that case, developers have until after 104 days to come up with a patch, but the publication date is not pushed back until later than 120 days.
For vulnerabilities that are already being actively abused, Google applies a much shorter patch time of 7 days. This patch time remains, but now 30 days are added to give users the chance to install the patch. Also, a delay period of three days has been made available.
Old system did not work to satisfaction
Project Zero says that it initially hoped that the 90-day period would force developers to come up with a patch quickly so that users would have plenty of time to install it. In practice, however, this policy did not lead to a significant shift in the development time of a patch. That is why Project Zero has come up with the new policy, hoping that it will lead to better protection against zero-days.
Period will be shortened in the future
The initiative plans to shorten this period in the future. The current idea is to reduce the period to 84 + 28 days by 2022. Because this number can be divided by 7, there is much less chance that deadlines fall on weekends.