Google Project Zero gives developers more time to fix security problems

Photo of author

By Larry Banks

Last year, Google announced Project Zero as a way to improve Internet security, in which Google engineers identified ‘zero day’ vulnerabilities in software – previously unknown security issues that developers have not yet patched or fixed. When such problems were discovered, Google would give developers 90 days to issue a fix, before making the issue public. Now, in the face of criticism, it’s extended the 90-day deadline.

Google Project Zero deadline extended

Now, if a developer informs Google that a fix is on the way but will not meet the 90 day deadline, they may be able to receive a 14 day extension in order to release a patch without the security hole being announced to the public. Google will also move deadlines which fall on weekends or holidays to the next working day, and may also move deadlines forwards or backwards if it deems necessary.

This change in policy comes just a month since Microsoft criticised Google for its publishing of information about a Windows 8.1 security issue just two days before it was already scheduled to be fixed. Microsoft said that Google took an approach “less like principles and more like a ‘gotcha,’ “ saying that customers would suffer as a result. But since Google made details of another Windows 8.1 security hole before Microsoft could ready a fix, Google in fact defended the 90 day window, saying that the deadlines were “currently the optimal approach for user security.”

Google Project Zero Hack

The updates to Project Zero policy now allows developers more time to complete work on identified software issues, but Google’s requirements are not the most strict of all the security research bodies, in terms of zero day discoveries. Google that the 90 day policy is a middle of the road deadline timetable, in contrast with others in the industry.

For example, the Zero Day Initiative (which rewards researchers for spotting zero day vulnerabilities) offers a 120 day period, while Carnegie Mellon’s CERT only provides 45 days before they make the security holes public.

Images Courtesy of DepositPhotos