Project Zero is a security research team at Google that spends significant time discussing and evaluating vulnerability disclosure policies and the consequences of those policies for users, vendors, security researchers, and software security. The team aims to be a group of beneficiaries of all researchers who work across the ecosystem to make zero-day attacks more difficult. Project Zero has published a summary of the changes that will affect 2021.
In short, Project Zero will not provide any technical details of the vulnerability for 30 days if a vendor corrects it before the 90-day or 7-day period expires. The 30-day period should allow user patches to be applied. The team says if an issue isn’t patched after 90 days, the technical details will be released immediately. Earlier disclosure can be made by mutual agreement.
According to Project Zero, there is a seven day disclosure period for issues that are actively exploited against users in the wild. If an issue is not patched after seven days, the technical details are published immediately. If the issue is resolved within seven days, the technical details will be released 30 days after the issue becomes available.
The researchers will allow vendors to request a 30-day grace period for in-the-wild bugs. Earlier disclosure could be made by mutual agreement. If Project Zero grants a grace period, that grace period uses part of the 30-day patch adoption period. This would mean that an issue fixed on the 100th day and adding the grace period would mean a disclosure on the 120th day.
Some elements for 2021 will be carried over from 2020. Policy goals include faster patch development, thorough patch development, and improved patch adoption. If a variant of the previously reported bug is discovered, technical details of the variant are added to the existing Project Zero report that could already be published without a new deadline being granted.
Ref: https://www.slashgear.com
