Project Zero disclosure policy change puts vendors on early notice

Google this week changed how it publicly discloses vulnerabilities in a bid to give defenders early details about new software defects it discovers, shortening the early window of time between a vendor releasing a patch and customers installing the security update.

Project Zero, Google’s squad of security researchers who find and study zero-day vulnerabilities, will now publicly share when it discovers a vulnerability within one week of reporting that defect to the vendor. Google said these reports will include the affected product and name of the vendor or open-source project responsible for the software or hardware, the date the report was filed and when the 90-day disclosure deadline expires. 

Google’s new trial policy addresses a nagging, persistent challenge in vulnerability management, spanning from discovery to disclosure and patch release to adoption. Tim Willis, head of Project Zero, described this delay as the “upstream patch gap,” in a blog post announcing the change.

“This is the period when an upstream vendor has a fix available, but downstream dependents, who are ultimately responsible for shipping fixes to users, haven’t yet integrated it into their end product,” Willis said. “We’ve observed that this upstream gap significantly extends the vulnerability lifecycle.”

Google insists the policy change will not help attackers, yet may put additional public pressure and attention on unfixed defects. Google hopes this will encourage stronger communication between upstream vendors and downstream customers or dependents, resulting in faster patch development and increased patch adoption, Willis said.

“This data will make it easier for researchers and the public to track how long it takes for a fix to travel from the initial report, all the way to a user’s device,” he said in the blog post.

Project Zero will continue to adhere to a 90+30 disclosure deadline policy that gives vendors 90 days to fix a defect before public disclosure, and 30 days for customers to install the patch. When a vendor addresses a vulnerability before 90 days pass, the 30-day deadline for customers to patch kicks in. If a vendor doesn’t release a patch within 90 days, Project Zero makes details about the vulnerability public.

Early reports of discovered vulnerabilities will not include technical details, proof-of-concept code or information Google believes would help attackers discover the defect until the deadline. Willis described the policy as “an alert, not a blueprint for attackers.”

Zero-day defects are an unyielding problem for defenders, posing a steady risk to enterprise systems and critical infrastructure. Google Threat Intelligence Group tracked 75 zero-day vulnerabilities exploited in the wild last year, noting that zero-day exploitation is targeting a greater number and wider variety of technologies. 

Three of the four most-exploited vulnerabilities in 2024, all of which were contained in edge devices, were initially exploited as zero-days, Mandiant said in its annual M-Trends report released in April.

Project Zero researchers will monitor the effects of this change to when it publicly discloses newly discovered vulnerabilities. “We hope it achieves our ultimate goal,” Willis said, engendering “a safer ecosystem where vulnerabilities are remediated not just in an upstream code repository, but on the devices, systems and services that people use every day.”