Google Project Zero to publicly announce bugs within a week of reporting them

The elite bug-hunters at Google Project Zero are taking aim at how long it takes to fix cybersecurity vulnerabilities by publicly announcing bugs within a week of reporting them privately to vendors.

Previously the team of security researchers followed the 90+30 timetable, where vendors were told about a bug and given 90 days to fix it. Then, 30 days after that patch was shipped, the full technical details about the bug were published.

This timetable is still going to be used, according to the Project Zero announcement, but now within one week of reporting a bug the team will also publicly share that a vulnerability had been discovered to alert other companies that might be affected.

The point is to address something a bit more complicated than the traditional “patch gap” in the field of cybersecurity, which is the time elapsed between a fix for a vulnerability being released and a user installing the actual update — a period in which users are considered to be exposed to greater threat as attackers know about the flaw.

“Our work has highlighted a critical, earlier delay: the 'upstream patch gap,'” wrote Tim Willis, the team lead at Project Zero. “This is the period where an upstream vendor has a fix available, but downstream dependents, who are ultimately responsible for shipping fixes to users, haven’t yet integrated it into their end product.”

The aim is that by “providing an early signal that a vulnerability has been reported upstream, we can better inform downstream dependents,” wrote Willis, who said Project Zero hoped the move would help improve communication between upstream vendors and downstream dependents.

On a new transparency page the team will explain who received the report, what product is affected, and the dates the report was filed and disclosure deadline expires. It crucially will not provide “technical details, proof-of-concept code, or information that we believe would materially assist discovery.”

As the new policy came into effect on Tuesday, Project Zero disclosed that it had reported six vulnerabilities since June 1, including two in Microsoft’s Windows, one in Dolby Unified Decoder, and three in what appears to be an internal Google product called BigWave.

It also aims to tackle the assumption that once a patch has been issued that end-users are protected. The new notices will be visible to the whole chain, prompting them to action — for instance PC manufacturers who coordinate BIOS or firmware updates alongside Windows updates, or app vendors that embed Windows components.

“This is a trial, and we will be closely monitoring its effects. We hope it achieves our ultimate goal: a safer ecosystem where vulnerabilities are remediated not just in an upstream code repository, but on the devices, systems and services that people use every day,” wrote Willis. “We look forward to sharing our findings and continuing to evolve our policies to meet the challenges of the ever-changing security landscape.”