To the ones who don’t have much idea about Google’s Project Zero, here is a quick read. Project Zero is the name of a team of security analysts employed by Google tasked with finding zero-day exploits. Bugs found by the Project Zero team are reported to the owner/manufacturer and only made public once a patch is released or if 90 days have passed and no patch has been released.
The 90-day deadline is Google’s way of implementing responsible disclosure, giving software companies 90 days to fix a problem before making it open in public so that the users themselves can take necessary steps to avoid attacks and malware. There are no extensions or compassion granted when it comes to disclosing the bugs or security threats.
However Google has now decided to relax the previously stringent 90-day policy. Its new changes allow weekends and holidays – specially if a 90 day deadline is supposed to expire on one of these kinds of dates, and bump it up to the next possible work day.
Additionally, Google will give companies a 14-day grace period if they let Google know that they’re planning to release a patch for an issue on a specific day following the expiration of the normal 90 day deadline. This comes after Google being criticized by Microsoft and Apple after it began publishing the security threats when the companies argued that the patches were only some days away from getting released.
Google also informed that its initiative has proved to be successful so far for the users all over the world. For example, Adobe has fixed about 37 such loopholes within the 90 day deadline period. Till date, Project Zero has identified 39 vulnerabilities in Apple products, including its Apple OS X bugs and 20 bugs in Microsoft products.
Google holds the same standards for its own products like Chrome and Android. In fact, the Project Zero is said to have bugs in the pipeline for these Google products and are subjected to the same deadline policy. Though highly controversial, this initiative would certainly gear up the companies to set strict standards when it comes to security front.