Google Project Zero Announces 2021 Updates to Vulnerability Disclosure Policy

Source
Advertisement


Project Zero has announced three major changes to its vulnerability disclosure policy in 2021, compared to 2020. Until now, if Project Zero researchers found a security hole in a product, it was disclosed after exactly 90 days, regardless of when a patch was released or whether a patch was available at all. The impacted vendor could request a 14-day grace period and disclosure could happen earlier based on a mutual agreement.

For 2021, the disclosure deadline of 90 days remains unchanged, but if the vulnerability is patched within that 90-day timeframe, technical details will only be made public 30 days after the release of a fix, to give users time to install the patch. The 14-day grace period can still be requested by the vendor.

Advertisement