Google’s Project Zero was announced last year as a new way to help improve online security by identifying vulnerabilities in software and services. Upon finding a vulnerability, it is reported directly to the company in charge of the software or service affected, the developers then have a certain amount of time to issue a patch before the bug goes public.
Google originally gave developers a very strict 90 day window to patch up any bugs reported via project zero. Developers could contact Google directly to let them know that a patch might just miss the 90 day deadline, in which case a two-week extension would be granted. Google also moves deadlines based on national holidays and weekends.
The new policy changes come after Microsoft criticized Google for revealing a security flaw in Windows 8.1 just two days before a patch was sent out. Microsoft argued that Google’s approach was less about principles and more about catching tech firms out.
The slight tweaks to Google’s Project Zero policy now give developers a bit more time to work on fixes. Google’s 90 day window is ‘middle of the road’ for these zero day bug finding initiatives. The Zero Day initiative offers a much more lenient 120 days before making bugs public while CERT only gives 45 days.
Discuss on our Facebook page, HERE.
KitGuru Says: Google may have jumped the gun a little bit when it came to Microsoft’s Windows 8.1 vulnerability towards the end of last year. These new policy tweaks should help out developers a little bit and at the same time, won’t have a huge impact on customer security.