Project Zero is a security research team at Google that spends time discussing and evaluating vulnerability disclosure policies and the consequence of those policies for users, vendors, security researchers, and software security. The team says it wants to be a group of researchers that benefits everyone working across the ecosystem to help make zero-day attacks more difficult. Project Zero has issued a summary of changes that will impact 2021.
In a nutshell, Project Zero won’t share technical details of the vulnerability for 30 days if a vendor patches it before the 90-day or seven-day deadline. The 30-day period is meant to allow for user patch adoption. The team says if an issue remains unpatched after 90 days, technical details will be published immediately. Earlier disclosure can be made with mutual agreement.
Project Zero says a disclosure deadline of seven days for issues that are being actively exploited in-the-wild against users will be made. If an issue remains unpatched after seven days, the technical details will be published immediately. If the issue is fixed within seven days, technical details will be published 30 days after the fix is available.
The researchers will allow vendors to request a 30-day grace period for in-the-wild bugs. Earlier disclosure could happen with mutual agreement. If Project Zero grants a grace period, that grace period uses a portion of the 30-day patch adoption period. That would mean an issue patched on day 100, adding in the grace period would mean disclosure on day 120.
Some elements for 2021 do carry over from 2020. Policy goals include faster patch development, thorough patch development, and improved patch adoption. When a variant of the previously reported bug is discovered, technical details of the variant are added to the existing Project Zero report that could already be public with no new deadline granted.