News and updates from the Project Zero team at Google

Policy and Disclosure: 2021 Edition

Posted by Tim Willis, Project Zero

At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers, and software security norms of the broader industry . We aim to be a vulnerability research team that benefits everyone, working across the entire ecosystem to help make 0-day hard .

We remain committed to adapting our policies and practices to best achieve our mission , demonstrating this commitment at the beginning of last year with our 2020 Policy and Disclosure Trial.

As part of our annual year-end review, we evaluated our policy goals. solicited input from those that receive most of our reports, and adjust our approach for 2021 .

Summary of changes for 2021

Starting today, we’re changing our Disclosure Policy to refocus on reducing the time it takes for vulnerabilities to get fixed, improving the current industry benchmarks on disclosure timeframes. as well as changing when we release technical details.

The short version: Project Zero won’t share technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. The 30-day period is intended for user patch adoption.

reference

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar

Categories