Project Zero – Policy and Disclosure: 2025 Edition
9 months ago
- #Vulnerability Disclosure
- #Patch Management
- #Cybersecurity
- Google Project Zero updates its vulnerability disclosure policy to '90+30' model in 2021 to drive faster patch development and improve adoption.
- Identifies 'patch gap' and 'upstream patch gap' as critical delays in the vulnerability lifecycle, affecting end-user security.
- Announces a new trial policy called 'Reporting Transparency' to increase early disclosure of vulnerabilities to upstream vendors.
- Within one week of reporting, Project Zero will publicly share details like the vendor, affected product, and report deadlines.
- Aims to shrink the upstream patch gap by improving transparency and communication between upstream vendors and downstream dependents.
- Assures that no technical details aiding attackers will be disclosed early, focusing on alerts rather than blueprints.
- The policy is a trial, with monitoring to assess its impact on creating a safer ecosystem with timely vulnerability remediation.