Google Relaxes Project Zero 90-Day Deadline: Other Companies Can Breathe Now


Google announced that it will be relaxing its 90-day deadline for its Project Zero initiative, which detects security issues in software not just by the company but of other companies as well.

Initially, once Project Zero identifies a security flaw, the team of security engineers will inform the company that owns the software about the issue. The company is then given 90 days to release a patch to fix the flaw. After the 90-day deadline passes without the company being able to address the problem, Project Zero will post details and sample attack codes of the security flaw in public.

Statistics presented by Project Zero show that of the total 154 security issues that were discovered by the team and eventually fixed, 85 percent were patched within the 90-day deadline. Among the 73 issues that were discovered and fixed from Oct. 1, 2014, 95 percent were patched within 90 days.

In addition, fixes that missed the 90-day deadline were usually patched up very quickly after the deadline had passed.

As such, Project Zero feels that the deadline of 90 days is "reasonably calibrated," as the deadlines appear to be effective in improving security fixes for the safety of end users.

Project Zero added, however, that it will be improving certain aspects of the 90-day deadline, amid great debate and the external feedback that the team received.

Improvements to the 90-day deadline policy include putting the date of the deadline on the next normal working day if the initial date falls on a weekend or a public holiday in the United States. In addition, Project Zero will also be assigning CVE numbers to vulnerabilities. The usage of CVE, which stands for Common Vulnerabilities and Exposures, will reduce confusion among the reported issues for easier identification.

Most importantly, Project Zero said that it will be granting a grace period of 14 days to companies that are not able to beat the 90-day deadline, as long as the company promises that a patch for the vulnerability is scheduled to be released on a specific date within the 14-day grace period. As such, the disclosure of unfixed issues to the public will only occur if the release of a patch significantly misses the deadline by more than two weeks.

The changes were notably spurred by a clash last month between Project Zero and Microsoft over security issues in Windows 8.1.

Microsoft requested Google not to post details regarding the issue upon the expiry of its 90-day deadline, as Microsoft will be rolling out the security update two days after the deadline in Patch Tuesday, which is when the company regularly releases security fixes.

However, Google still posted the details of the problem, a move which Microsoft said increased the difficulty in dealing with the vulnerability.

ⓒ 2018 All rights reserved. Do not reproduce without permission.
Real Time Analytics