Google announced Project Zero back in 2014 in a quest to make the internet more secure by researching software exploits and informing affected developers about them. The company soon adopted a 90-days public disclosure deadline in order to speed up the patching process. In 2020, this policy will change just a little bit. Previously, vulnerabilities were published as soon as developers fixed them, but now, Google will always wait the full 90 days until it reports to the public. That's meant to ensure that patches have rolled out to more users before potential bad actors know about the exploits, thus leaving fewer people vulnerable.

This change is a reaction to software vendors who believe that disclosures are harmful before a patch has reached enough users. While Google says it doesn't agree, it has still adjusted the 90 days policy to incentive these vendors to patch security holes even faster so that they have additional time to distribute the bug fixes. Google also hopes that developers will use the remaining time until disclosure to search for root causes of exploits or ripple effects of patches so that attackers can't just make minor changes to their existing strategies and continue their practices. Under mutual agreement, reports can still be published earlier, though.

At the same time, Google is getting stricter about actually enforcing the 90-days rule. Reports used to be published manually by researchers, but starting 2020, they'll be posted automatically on day 90. If a bug is fixed within the additional 14-day grace period on top of the 90 days vendors can ask for, the corresponding report will also be published immediately after.

Additionally, Google wants to improve how it handles incomplete fixes. While it used to file these issues either as separate vulnerabilities or added them to existing reports in the past, it now consistently wants to add them to the corresponding existing report — even when it's already published.

Overall, Google deems Project Zero as successful since 97.7% of vulnerabilities are usually fixed within the 90-days timeframe. The changes are meant to improve the cooperation between Project Zero and software vendors. That said, the new policies are only a test run for now, and Google knows that it's hard to please everyone involved in the process. The Project Zero team wants to re-evaluate whether the changes work and might adjust the program again in late 2020.

Source: Google