Source URL: https://www.schneier.com/blog/archives/2025/08/google-project-zero-changes-its-disclosure-policy.html
Source: Schneier on Security
Title: Google Project Zero Changes Its Disclosure Policy
Feedly Summary: Google’s vulnerability finding team is again pushing the envelope of responsible disclosure:
Google’s Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period allowed for patch adoption if the bug is fixed before the deadline.
However, as of July 29, Project Zero will also release limited details about any discovery they make within one week of vendor disclosure. This information will encompass:
The vendor or open-source project that received the report
…
AI Summary and Description: Yes
Summary: Google’s Project Zero team has implemented a new approach to vulnerability disclosure that includes a quicker release of limited details about discovered vulnerabilities. This change aims to enhance accountability among vendors but raises concerns about potentially igniting unnecessary alarm without context on the severity of the vulnerabilities.
Detailed Description:
Google’s Project Zero team, which specializes in finding and publicly disclosing vulnerabilities in software products, has recently updated its vulnerability disclosure policy. The following key points outline the notable changes and implications of this policy:
* **Existing Policy**: The team continues to follow its established 90+30 disclosure policy, which gives vendors 90 days to address vulnerabilities before a full public disclosure occurs. If the vulnerability is addressed before the end of the 90-day period, an additional 30 days is provided for users to implement patches.
* **New Disclosure Timing**: Effective July 29, Project Zero now intends to share limited details about any vulnerabilities it discovers within one week of notifying the vendor.
* **Information Released**: The information disclosed during this one-week window will include:
– The vendor or open-source project that received the report.
– The specific product affected by the vulnerability.
– The report submission date and the deadline for disclosure under the 90-day policy.
* **Impact on Vendors**: This approach compels vendors to expedite their patching processes, potentially leading to improved security for users.
* **Concerns Raised**:
– The lack of contextual information regarding the severity of the disclosed vulnerabilities could lead to panic or confusion among the public and users.
– There are concerns regarding Google’s position as a partial entity in the vulnerability landscape — as the company could benefit from creating doubt about the security of competitors’ products.
* **Professional Implications**:
– Security professionals must be prepared to rapidly evaluate and respond to disclosed vulnerabilities following this new policy.
– The faster disclosure of information could accelerate the cycle of vulnerability management, requiring more robust incident response strategies.
This updated policy reflects an ongoing evolution in vulnerability disclosure practices, emphasizing the need for accountability from software vendors while also necessitating careful communication to avoid misinformation during critical security updates.