Google’s Project Zero changed vulnerability disclosure policy for 2020
Project Zero changed in a trial 12-month mode its vulnerability disclosure policy to faster and improve patch adoption and development. Starting from 2020 Project Zero will keep information for full 90 days by default, regardless of when the bug is fixed unless there are special mutual agreements with vendors to disclose it earlier. If a vulnerability is not fixed within 90 days, Project Zero may grant an additional 14 days for vendors upon request. After 90 days the team will automatically publish tracker reports for bugs and vulnerabilities.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.