New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Google Relaxes Project Zero Bug Disclosure Policy

Monday February 16, 2015 7:30 am PST by Joe Rossignol
googlesearchGoogle's security team Project Zero recently announced some changes to its bug disclosure policy after controversially exposing Apple and Microsoft security flaws when the companies failed to meet the 90-day deadline. The new disclosure deadline has a 14-day grace period and excludes weekends and public holidays, providing tech companies with more time to properly address security vulnerabilities in their software.
"We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch."
Project Zero is a security team consisting of experienced programmers that look through the code of Google and several of its competitors to discover security flaws, like those uncovered in OS X Yosemite back in January. The team immediately discloses any vulnerabilities found to vendors, providing them with a 90-day deadline to release a software patch before sharing the vulnerabilities with the public.

The role of Google playing security watchdog for other companies has been the subject of much debate, with some believing that the company has a disingenuous agenda and others claiming that it is taking appropriate action. Google claims that it holds itself to the same 90-day policy it enforces on other tech companies, with bugs in the pipeline for Chrome and Android that are subject to the same deadline policy.

Tags: Google, Project Zero
[ 115 comments ]


Top Rated Comments

(View all)

Avatar
viorelgn
55 months ago
How many Android phones are out there with vulnerabilities unpatched? Google is doing this to sabotage their competitors. I don't believe their humanitarian story one bit.
Rating: 44 Votes
Avatar
sualpine
55 months ago
Oh gee, Google, thanks. Thank you so much for being less of an ass trying to audit every single other company's software, except for your own. Has the Lollipop memory leak been fixed yet? Where is 5.0.3?
Rating: 30 Votes
Avatar
Musocat
55 months ago
What a bunch of assbags.
Rating: 22 Votes
Avatar
kuwxman
55 months ago
The normal Google haters in here ignoring that them doing this is a good thing for everyone...
Rating: 22 Votes
Avatar
marzer
55 months ago
I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.
Rating: 15 Votes
Avatar
till213
55 months ago

How many Android phones are out there with vulnerabilities unpatched? Google is doing this to sabotage their competitors. I don't believe their humanitarian story one bit.


I couldn't give less than a rat's ass for whatever reasons Google digs out security issues with their competitor's products. Someone does it. Security issues get fixed (or not). That's all that counts.

If Google doesn't reveal those issues, chances are that they go unnoticed by the good guys - but the bad guys are already exploiting them, so making security issues public after a grace period makes the world a better place.

It's that simple.
Rating: 12 Votes
Avatar
winston1236
55 months ago
Egos aside, this is actually a very good thing for consumers as a whole.
Rating: 12 Votes
Avatar
BittenApple
55 months ago
Don't be evil.

Google under Eric E. Schmidt is not good.
Rating: 11 Votes
Avatar
bbeagle
55 months ago

Except the blindingly obvious is, why the hell SHOULD Google be doing this? Why can't Apple and Microsoft fix their OWN flaws BEFORE releasing software..


It sounds like you don't understand software. Fundamentally, software ALWAYS has bugs. Just like everything else in the world. It's high profit / low risk to find software bugs and exploit them.

I can enter your house just by using a rock I find in your garden right outside your door. But using the rock to smash your window, enter, and rob your stuff is low profit / high risk. It happens, but not as often as it could.

But it's VERY costly to find ALL bugs and fix them. It's not like I can look through software code and go 'Gee - there's a bug - I'll fix it'. It's highly complicated and takes a lot of brain power to figure out.
Rating: 11 Votes
Avatar
kwizatz
55 months ago

I don't see how this could be a bad thing. It's not like they are finding bogus issues, it's all been legitimate vulnerabilities. If Apple and MS were against it, they could step up their own internal efforts to find and fix vulnerabilities before a third party can expose them. I think this is a really good thing for users. It's a really good thing for security.


I think it's a step in the right direction, but it suffers from the same sort of arbitrariness as their previous policy.

So if MS or Apple or whoever contacts Google, and says "hey, we're working on a fix, we expect it to be ready in 3 weeks".. Google is saying "Sorry, not fast enough! We're gonna make this vulnerability public!"

I just don't see how publicizing an unpatched vulnerability (when the vendor is known to be working on a fix) helps to make the end user more secure.
Rating: 11 Votes

[ Read All Comments ]