Before disclosing security flaws, Google’s Project Zero security team will wait 30 days more. Thus, according to the company, end-users would have enough time to patch software.
90 days to fix the security flaws
Although developers will still have 90 days to fix the security flaws, the company will wait 30 days more before disclosing technical details. Also, a 14-day grace period will be available if requested.
Still, for those zero-day flaws that hackers actively exploit, companies will still have a one week time to patch, plus a three-day grace period.
The decision comes as Google allowed developers more time for this, last year. Thus, they expected that developers would do this quicker, so end-users would have more time for patching.
But the things did not go as expected. “We didn’t observe a significant shift in patch development timelines,” Tim Willis, from Project Zero wrote. He added that vendors “were concerned about publicly releasing technical details (…) before most users had installed the patch.”
Three months available for a patch
At this moment, companies’ developers benefit from a 90 or seven-day period to work on a patch. Also, before disclosure, end-users will have 30 days to apply the patches.
Anyway, if developers ask for a grace period, the company will include them in the 30 day disclosure time. As a result, the regular flaws could be revealed at the latest 120 days. But this will happen only if they are patched on time. If not, the company will publish them after 90 days.
On the other hand, for zero-day flaws, developers will get seven more days.
Although this will apply for this year, changes might appear in 2022.
According to the company, “Our preference is to choose a starting point that can be consistently met by most vendors.” Afterwords, Google intends to “ gradually lower both patch development and patch adoption timelines.”