Google has decided to make changes to its Project Zero in a move to give the developers time to address security vulnerabilities. This would mean that other companies would produce semi-constructed parts.
The project was announced in 2014 to find zero-day vulnerabilities. The project has a team of security analysts who are employed by Google to find the vulnerabilities, the secret hackable bugs that can be hacked by criminals, state-sponsored hackers and agencies.
"We recently reviewed our policies and the goals we hope to accomplish with our disclosure policy. As a result of that review, we have decided to make some changes to our vulnerability disclosure policy in 2020. We will start by describing the changes to the policy, and then discuss the rationale behind these changes," Tim Willis, Manager, Project Zero, wrote in a blog post on Tuesday.
"For vulnerabilities reported starting January 1, 2020, we are changing our Disclosure Policy: Full 90 days by default, regardless of when the bug is fixed." If there is mutual agreement between the vendor and Project Zero, bug reports can be opened to the public before 90 days elapse.
For example, a vendor wants to synchronize the opening of our tracker report with their release notes to minimize user confusion and questions. Fix a bug in 20 days? We will release all details on Day 90. Fix a bug in 90 days? We will release all details on Day 90," noted Willis.
The tech giant said it will try this policy for 12 months, and then consider whether to change it long term.
(With agency inputs)