Google relaxes its rigid 90-day bug disclosure period

Google has announced that its 90-day vulnerability disclosure period will, from now on, be little longer if the situation warrants it.

Earlier this year the company was criticized by Microsoft for its lack of flexibility when it comes to this disclosure period, after Google made public three Windows zero-day vulnerabilities along with exploit code. The disclosure process has so far been automated, likely in an effort to show that Google is not playing favorites and is not ill-disposed against certain companies.

“Although following through [with the vulnerability release] keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a ‘gotcha’, with customers the ones who may suffer as a result,” Chris Betz, Senior Director of the Microsoft Security Response Center, noted at the time.

“Ultimately, vulnerability collaboration between researchers and vendors is about limiting the field of opportunity so customers and their data are better protected against cyber attacks. Releasing information absent context or a stated path to further protections, unduly pressures an already complicated technical environment,” he added.

This reproof and the lively debate about the right way to perform vulnerability disclosure that was started by this incident has obviously not fallen on deaf ears, and Google is relaxing the 90-day bug disclosure period.

“If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day,” Google security engineer Chris Evans announced on Friday, adding that the company’s Project Zero will also institute a 14-day grace period.

“If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).”

“As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances,” he finally pointed out, and said that all vendors – including Google itself – will be treated equally when it comes to enforcing these rules.

There was no mention of any changes when it comes to Google’s disclosure timeline for actively exploited bugs, so we can assume that it remains the same as before: seven days.

“While it is positive to see aspects of disclosure practices adjust, we disagree with arbitrary deadlines because each security issue is unique and end-to-end update development and testing time varies,” Betz commented the changes. “When finders release proof-of-concept exploit code, or other information publically before a solution is in place, the risk of attacks against customers goes up.”