GOOGLE'S ZERO PROJECT will be 'more precautive' in disclosing information on security supplies

Network security | Under the new policy, Google's Project Zero will only disclose information about security holes "after exactly 90 days," even if the bug has been fixed before that time limit.

The Google Project Zero's security research group has recently announced it will test a new policy whereby it will not make publicly available information about security vulnerabilities early enough, in the event that the developer Software developers have released a fix. "It will only be revealed after exactly 90 days, even if the flaw may have been fixed before the deadline" will be the group's new rule. Project Zero will test this regulation for a period of 1 year before deciding whether to practice it permanently or not.

Google's Zero Project will be more 'cautious' in disclosing information about security holes | Under the new policy, Google's Project Zero will only disclose information about security vulnerabilities

Under the old rules, Project Zero researchers would give software developers a 90-day deadline to release a fix before disclosing the flaw. However, if the patch is released before this deadline, the team may release information sooner. However, this can be dangerous in the event that users do not install the patch in time, which makes them more vulnerable to hacker attacks. In fact, sometimes software companies have released patches, but the percentage of users who have installed that patch is the important issue.

Users are only safe once they have installed the patch
So from now on, whether the patch is released 20 days or 90 days after Project Zero notifies the developer of the bug, researchers will still have to wait 90 days to make it publicly available. However, there are some exceptions, such as an exchange and "mutual agreement" between the two companies that researchers can disclose the vulnerability sooner, or if the developer requires more. time, the Zero group will extend the deadline by 14 days. However, the seven-day timeline for vulnerabilities that have been exploited to launch unrealistic attacks will not change.

In addition to giving users more time to install the patch, the new rules also help unify and make it easier for developers to schedule and define a "deadline" for rolling out the patch. In addition, the Zero team also expects this will allow developers to release quality patches and more thoroughly, thanks to the time from when being notified of a bug to when the bug is published. the declaration lasts longer.
Despite this change, the Project Zero team still thinks that they are very pleased with the effect of the previous bug announcement deadline in prompting developers to release patches for their products. In 2014, when the team started work, they said it sometimes took 6 months after the discovery, software bugs to be patched. Currently, with the bugs discovered, they said 97.7% of them were patched within 90 days.