Google is giving companies a grace period with Project Zero

Project Zero is a program by Google that aims to catch vulnerabilities in popular services and software and then expose them to the public if the company responsible for the vulnerability doesn’t fix it within 90 days. This has proven to be a major nuisance for many companies, particularly Microsoft, which is why Google has decided to give a 14-day grace period in which, should the company prove that it can fix the vulnerability in a patch within a reasonable amount of time, Google won’t announce it to the public. 

Google’s Project Zero, a vulnerability-catching and disclosure program that’s surely been a bit of a pain in the butt to those called out by its team of exploit researchers, typically has a 90-day disclosure policy for the issues it brings to light. By that, we mean that Google will notify a vendor immediately whenever it finds a critical exploit in a vendor’s software. Once that happens, however, the clock starts ticking. After 90 days, Google publishes the vulnerability for all to see—ideally, the threat of public disclosure is half a bit of public shaming, and half encouragement in a “you should really get this patched up before more creative people take advantage of this exploit” kind of way. Google, however, has decided to relax that previously stringent 90-day policy just a little bit—likely the result of some vendors expressing a bit of displeasure with Project Zero’s inflexible deadlines.