Google Project Zero to Publicly Announce Vulnerabilities Within a Week of Reporting

Google Project Zero has announced a significant shift in its vulnerability disclosure practices, implementing a new trial policy that will publicly announce security vulnerabilities within one week of reporting them to vendors. 

This marks a departure from the traditional approach where vulnerability details remained confidential until patches were developed and deployed.

The cybersecurity research team revealed this “Reporting Transparency” initiative on July 29, 2025, as part of their ongoing effort to address the persistent “patch gap” problem that delays critical security fixes from reaching end users’ devices. 

Key Takeaways
1. Project Zero announces vulnerabilities weekly after vendor notification, keeping a 90-day fix deadline.
2. Only vendor, product, and timeline shared - no exploit code released.
3. Improves vendor communication to close supply chain security gaps.

The new policy maintains Project Zero’s existing 90+30 disclosure framework while adding an unprecedented level of early transparency to the vulnerability lifecycle.

Enhanced Disclosure Timeline Targets “Upstream Patch Gap”

Under the new trial policy, Google Project Zero will publicly disclose basic information about discovered vulnerabilities within seven days of initial vendor notification. 

The disclosed information will include the affected vendor or open-source project, the specific product impacted, the original report filing date, and the 90-day disclosure deadline. 

Importantly, no technical details, proof-of-concept code, or exploit information will be released during this early disclosure phase.

The initiative extends to Google Big Sleep, a collaborative AI-driven vulnerability discovery project between Google DeepMind and Project Zero, with its own dedicated issue tracker at goo.gle/bigsleep. 

This comprehensive approach ensures consistent transparency across Google’s security research initiatives while maintaining the core 90-day remediation timeline that gives vendors adequate time for thorough patch development.

The policy change directly targets what Project Zero identifies as the “upstream patch gap” – a critical delay period where upstream vendors have developed fixes but downstream dependents haven’t integrated these patches into their end products. 

This gap has become particularly problematic as Project Zero’s research increasingly focuses on foundational technologies like chipset drivers and embedded systems that require multiple integration steps before reaching consumers.

Tim Willis from Google Project Zero emphasized that vulnerabilities are only truly resolved when end users install updates on their devices, not merely when patches exist in upstream repositories. 

The transparency initiative aims to create stronger communication channels between upstream vendors and downstream dependents, potentially accelerating patch adoption across complex supply chains. 

While acknowledging concerns about increased attention on unfixed vulnerabilities, the team maintains that basic disclosure information won’t materially assist attackers in developing exploits.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches