- The Zero project of Google gives sellers 90 days to correct a bug and 30 days for the adoption of patches
- “ Patch difference upstream ” means that it takes too long for a patch to be available
- Report more details will encourage more transparency
Google has undertaken to update its zero project disclosure policy in order to point out more details on security in order to improve security by allowing developers faster access to the finest details of vulnerabilities.
Launched in 2021, Project Zero was launched with a 90 + 30 – 90 -day strategy for suppliers to correct a reported bug, and an additional 30 days for users to adopt the fix if it is corrected in the 90 -day window.
However, since then, a so-called “upstream fixing gap” has emerged by which the time between the moment when a correction is available upstream and when it becomes available by downstream suppliers is longer than ideal, extending the life cycle of vulnerabilities.
The Zero project of Google will disclose even more infromes
A new test policy will improve the transparency of reports by disclosing the seller or the open source project, the affected product, the date of the report submitted and the disclosure deadline of 90 days.
The changes have been announced by Tim Willis of the project, who explained: “For the end user, a vulnerability is not fixed when a fix is released from supplier A to supplier B; it is only corrected when it downloads the update and installs it on their device.”
“By providing an early signal that a vulnerability has been reported upstream, we can better inform people with downstairs,” wrote Willis.
Google hopes that the update of the zero project to include more details earlier will help the public to follow the time it takes between a supplier to make an available fix and that this fix is available on the end device. Willis explained that an environment where transparency is normal and expected is the objective
Willis underlined: “No technical detail, code of proof of concept or information which, in our view, would help materially, the discovery will be published”, therefore, previous reports will not give attackers above.
