Policy and Disclosure: 2021 Edition
Posted by Tim Willis, Project Zero
At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure policies and their consequences for users, vendors, fellow security researchers, and software security norms of the broader industry . We aim to be a vulnerability research team that benefits everyone, working across the entire ecosystem to help make 0-day hard .
We remain committed to adapting our policies and practices to best achieve our mission , demonstrating this commitment at the beginning of last year with our 2020 Policy and Disclosure Trial.
As part of our annual year-end review, we evaluated our policy goals. solicited input from those that receive most of our reports, and adjust our approach for 2021 .
Starting today, we’re changing our Disclosure Policy to refocus on reducing the time it takes for vulnerabilities to get fixed, improving the current industry benchmarks on disclosure timeframes. as well as changing when we release technical details.
The short version: Project Zero won’t share technical details of a vulnerability for 30 days if a vendor patches it before the 90-day or 7-day deadline. The 30-day period is intended for user patch adoption.