Google amends disclosure policy to encourage 'thorough' security patches from developers

Google will now wait for at least 90 days before disclosing bug details

Google's Project Zero team has made changes to its disclosure policy to give vendors more time to create " thorough " patches for security flaws uncovered in their applications.

Under the revised policy, Google will wait for at least 90 days before publicly revealing the details of a security bug, even if the bug is fixed ahead of that deadline.

The change will ensure that the vulnerability remains undisclosed for a longer period of time, providing developers adequate time to address the root cause of the flaw.

We don't expect this policy to please everyone, but we're optimistic that it will improve on our current policy

Previously, the details of the bugs were revealed after completion of the 90-day deadline, or after the release of the patch, whichever came first.

But in a blog post published this week Tim Willis, Google Project Zero manager, said that under the new policy, they will privately disclose the details of a security hole to the relevant vendor first, and give them 90 days to fix the flaw.

The developer team should spend the next few days creating and testing the fix before rolling it out for the users. If a fix breaks during the 90 days or proves inadequate to fully fix the flaw, the vendor will still have time to address it before Google discloses the details in public domain.

Vendors can also request an additional 14-day grace period if they believe they won't be able to fix the reported vulnerability within 90 days.

If a grace period is requested, and the security flaw is patched between 90 and 104 days, Google will release the details on the day it is fixed.

Project Zero team can also open bug reports to the public before 90 days provided the vendor agrees for that. For example, some vendors may want to synchronise the opening of Google's tracker report with their release notes to minimise confusion for users.

According to Willis, the primary purpose of revising the disclosure policy is to encourage more thorough patch development and better patch adoption, while keeping the original goal of driving quicker patch development.

" Disclosure policy is a complex topic with many trade-offs to be made. We don't expect this policy to please everyone, but we're optimistic that it will improve on our current policy, encompasses a good balance of incentives and will be a positive step for user security," Willis stated.

Project Zero team will trial the revised approach over next 12 months, and may decide to make it permanent if no serious issues arise.