News Insights: News and updates from the Project Zero team at Google Policy and Disclosure

Policy and Disclosure: 2020 Edition

Policy and Disclosure: 2020 Edition

At Project Zero, we spend a lot of time discussing and evaluating vulnerability disclosure polici…

Policy and Disclosure: 2020 Edition

 

News Insights:

Casey Ellis, CTO, Founder, Chairman

“Project Zero’s policy and disclosure update is a solid concession given the amount of time it can take to get a security patch fully deployed to users, even when a vendor fixes the bug quickly.  The right kind of pressure can be a good thing when it comes to vulnerability finds and fixes, and this is what Google is trying to optimize through its policy. Creating efficient patch developments, but avoiding hasty rollouts, is Project Zero’s goal, and Google is moving the industry forward with this policy by motivating developers to prioritize security. The policy’s delayed disclosure notice is a smart move – It relieves the incentive to rush patch development into the wild, which in turn reduces the potential for poor security outcomes as a product of their research.  It’s certainly a novel update to standard coordinated vulnerability disclosure (CVD) practices, and it’ll be interesting to see how successful this policy update is throughout the year.”