Vulnerability Disclosure Policy

90+30 policy

Project Zero follows a 90+30 disclosure deadline policy, which means that a vendor has 90 days after Project Zero notifies them about a security vulnerability to make a patch available to users. If they make a patch available within 90 days, Project Zero will publicly disclose details of the vulnerability 30 days after the patch has been made available to users.

For example:

  • If a vendor patches a security issue 47 days after Project Zero notified the vendor about the vulnerability, details would be made public on day 77.
  • If a vendor patches a security issue 83 days after Project Zero notified the vendor about the vulnerability, details would be made public on day 113.

If a vendor is unable to patch an issue within the initial 90 days, Project Zero will make the details of the vulnerability public at the end of the 90-day period.

Grace period

If a vendor is unable to make a patch available in 90 days, but will make a patch available within an additional 14 days (i.e., within 104 days since the vulnerability was disclosed to the vendor), Project Zero may grant a grace period to the vendor upon request. In that case, Project Zero will publicly disclose details of the vulnerability 120 days after the vulnerability was initially disclosed to the public.

In-the-wild vulnerabilities

As described in Google's application security vulnerability disclosure policy, if Project Zero finds evidence that a vulnerability is being actively exploited against real users "in the wild", a 7-day disclosure policy replaces the 90-day policy. However, the 30-day window still applies, meaning that Project Zero will publicly release details of the vulnerability 30 days after a patch is made available to users, as long as a patch was made available by the end of the 7-day deadline.

The grace period for in-the-wild vulnerabilities is 3 days. Similar to the 90-day policy, public details for patches made available during the grace period will still be released to the public 30 days after the original deadline (i.e., day 37), regardless of on which day the patch is released.

Mutually-agreed early disclosure

In any of the above cases, Project Zero and the relevant vendor can mutually agree to release details of a vulnerability earlier than the date indicated by policy.

For more information and background on our policy, please see the explainer blog post and our disclosure policy FAQ.

No comments:

Post a Comment

Subscribe to: Posts (Atom)