Back on 15th July 2014, Google announced: “Project Zero” which is nothing but a team of dedicated expert security engineers who are tasked with reducing the overall number of “zero-day” vulnerabilities on the World Wide Web. Recently, the Search Engine company has announced to give “Project Zero” a 30-days grace period before announcing the bugs and vulnerabilities to the public. This new time frame is put in place in order to give end-users a considerable amount of time to patch and fix their security issues.
The previous time frame included 90 odd days for the developers to patch bugs and roll out updates before the “Project Zero” discloses a developer’s vulnerabilities out in the public. This seems like a threat but is definitely not and put in order for the security, safety and privacy of the end-user. However, according to recent reports, “Project Zero” is extending this time with an additional 30 days grace period before the technical details are disclosed out.
As mentioned in a report by The Verge, Tom Willis from Project Zero recently wrote in a blog post that since the 90 days trial period was announced for developers, the main agenda of these special security engineers was to ensure that developers are getting sufficient time to make amends and develop their patch. Adoption of this patch which is usually carried out by rolling out software updates also takes time and 90 days seem sufficient for all developers. Despite that, the vendors and developers have been frequently worried that their vulnerabilities and technical details will be disclosed out to the public. Willis further added that despite this 90-days’ time frame, there was no significant shift in patch development timelines.
Anyhow, considering this issue, Google has decided to give a grace period of 30 more days to developers so that they get sufficient time to fix their vulnerabilities and roll out the patch for adoption without continuously worrying about the deadline. Google’s “Project Zero” says that if a flaw is actively being exploited, the developer company will have not more than 10 days to fix the problem which includes 7 days of primary time frame with 3 days in the grace period. However, before the technical details of the vulnerabilities are disclosed out in the public, the search engine company is offering a 30-days grace period.
As mentioned in a report by The Verge, this 90+30-day policy by Google’s Project Zero seems more effective and beneficial for developers. Willis wrote that this time frame is neither abrupt nor disruptive.