Google's Project Zero extends 90 day exploit disclosure deadline

Google has extended the disclosure period for vulnerabilities uncovered in its Project Zero program by an additional two weeks, if a vendor is planning a patch in the two weeks following the deadline.

Writing in a group post on the Project Zero blog, the search giant revealed a number of changes to the disclosure of 'Zero Day' exploit disclosures, including a the assignment of CVEs, deadline shifts for weekends and holidays, and an additional 14 day 'grace period' for vendors with a patch scheduled up to two weeks after the 90 day deadline.

These changes, Google believes, will "improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline."

The change follows some questioning the rigid way in which Project Zero releases its vulnerabilities, which resulted in some Windows 8.1 and OSX bugs being released before the respective companies had patches ready to deploy.

Answering criticism on the Project Zero discussion following the release of the former, Google security engineer Ben Hawkes praised users for a "robust discussion" on the merits of the policy, but defended the 90 day deadline, stating: "Project Zero believes that disclosure deadlines are currently the optimal approach for user security – it allows software vendors a fair and reasonable length of time to exercise their vulnerability management process, while also respecting the rights of users to learn and understand the risks they face."

“With that said, we’re going to be monitoring the effects of this policy very closely … We’re happy to say that initial results have shown that the majority of the bugs that we have reported … get fixed under deadline, which is a testament to the hard work of the vendors,” he added.

Indeed, Tech Week Europe claims that 95 percent of vulnerabilities exposed through the Project Zero program are patched within the deadline.

Google claims its 90-day release schedule is in line with other industry peers, and The Verge seems to confirm this, pointing out that The Zero Day Initiative provides a 120 day window, whilst Carnegie Mellon's CERT allows just 45 days from disclosure.