Google relaxes Project Zero bug disclosure policy after Microsoft complaints
Google managed to ruffle a few feathers recently by disclosing bugs and security problems in widely used software. Project Zero is used to encourage companies to fix issues that have been detected by imposing a 90-day deadline before details of the vulnerabilities are made public.
Microsoft was angered a month ago when Google published details of a security issue in Windows 8.1 just a few days before a patch was due to be released. A few days later, two more bugs were revealed leading to complaints not just from Microsoft but from software users. Now Google has backed down and announced a slight relaxing of its previously strict 90-day disclosure policy.
This is not to say that the 90-day policy is going away, just that there will be a little more flexibility in the future. For example, if the deadline runs out on a weekend or public holiday, it will be rolled over to the next working day. This is something that will go down well with software developers, but the introduction of a 14-day grace period is something that will particularly please Microsoft.
From now on, if a publisher lets Google know that a patch is due for imminent release, the publication of vulnerability details will be delayed for up to a fortnight. The new approach was announced in a post on the Project Zero blog:
We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
Of course there will still be plenty of companies who are unhappy with what is seen by many as Google's decision to police coding. Google points out that all vulnerabilities are treated equally: "Project Zero has bugs in the pipeline for Google products (Chrome and Android) and these are subject to the same deadline policy".