- Google’s project Zero provides suppliers 90 days to fix an error and 30 days for patch — Administration
- ‘Upstream patch gap’ means it takes too long before a patch becomes available
- Reporting more details will encourage more transparency
Google has promised to make updates to its project on the publication of Project Zero Information to report more security details faster in an attempt to improve security by giving developers faster access to the finer details of vulnerabilities.
Project Zero was launched by 2021, launched with a 90+30-policy-90 days for suppliers to arrange a reported error, and another 30 days for users to adopt the patch if it is fixed within the 90-day window.
Since then, however, a so-called ‘upstream patch-gap’ has emerged, whereby the time between when a solution is available upstream and when it becomes available by downstream suppliers is longer than ideal, the life cycle extends to vulnerabilities.
Google’s project Zero will reveal even more infring
A new trial policy will improve the reporting of transparency by revealing the supplier or Open Source project, the affected product, the date of the submitted report and the deadline for 90-day disclosure.
The changes were announced by the project’s Tim Willis, who explained: “For the end user, a vulnerability is not corrected when a patch is released from supplier A to supplier B; it is only fixed when they download the update and install it on their device.”
“By giving an early signal that a vulnerability has been reported upstream, we can better inform downstream dependent,” Willis wrote.
Google hopes that the ZERO update project to include more details before will help the public track how long it will take between a supplier who will first make a patch available and that Patch will be available on the end unit. Willis explained that an environment in which transparency is normal and expected is the target
Willis emphasized, “No technical details, proof-of-concept code or information that we believe will significantly help Discovery will be released,” therefore previous reporting will not give attackers the upper hand.
