Google defends, revises Project Zero 90-day policy

By JC Torres/Feb. 16, 2015 6:10 am EST

In the software security community, a debate rages around when and how to disclose vulnerabilities and bugs. One camp wants a fixed deadline in order to somewhat force software vendors to fix their bugs before word goes out to the public. Others want a slightly more secretive approach that will only disclose such issues if and only if a fix is already ready. Google's Project Zero has adopted a hard 90-day stance but now it's yielding just a wee bit to address some complaints against its policy.

Project Zero was launched in July last year as Google's attempt to make the IT world a safer place. It has adopted the deadline-based security policies of the likes of the US CERT or Yahoo! in disclosing software security holes after a period of time has lapsed starting when the appropriate vendor has been informed. Based on Google's report, it would seem that the tactic has merits and benefits. Flash, for example, was able to fix all 37 of its Project Zero reported bugs within 90 days. of the total 154 bugs fixed to date, 85 percent were patched up within 90 days. It would seem almost perfect. Well, almost.

There have been a few misses, naturally, and this is where the drama starts. Last month, Microsoft made a bit of a noise about Project Zero's rigid stance after Google disclosed a vulnerability just a few days before Microsoft could roll out the patch. At the heart of the matter is the fact that Microsoft rolls out such updates only on Tuesdays, which falls a few days after Project Zero's 90-days. Microsoft says it explicitly asked Google to stay its hand just to accommodate the weekly schedule. It also took the opportunity to root for the other camp which espouses "Coordinated Vulnerability Disclosure" or CVD instead of deadline-enforced one.

Google isn't budging from its policy but it is willing to concede a bit of ground in some circumstances. For one, it will now start counting holidays and will adjust the 90 days as necessary. And to address Microsoft's complaint, it will allow a grace period of 14 days on top of the 90 days if the software vendor can roll out a patch within those 2 weeks, otherwise Google will stick to its rules. Very minor changes that subtly try to placate Microsoft, but it will probably be hardly enough to change the mind of one who's dead set on a different philosophy.

SOURCE: Google