Project Zero is a team at Google tasked with detecting vulnerabilities and reporting them to manufacturers. It̵
Under the old rules, software vendors had 90 days to release a patch from when Google disclosed a vulnerability to the vendor. Whether or not it happened, it would reveal the zero-day vulnerability to the public, often with enough detail that a bad actor could use the information to create exploits. In the end, Google added an optional grace period that software vendors could request when a patch was nearing completion.
Detractors argue that the hard deadline puts the public at risk if the company is actively working on a solution, but the problem is complicated enough that it cannot be resolved within 90 days. Others point out that some companies are not at all inclined to make a patch without the hard window. The public pressure is helping to convince the software vendor to act where it should not be otherwise.
Finding that middle ground is the hard part, and Google says it will make adjustments to address the concerns of the wider security community. In 2021, it will wait another 30 days to disclose details of a vulnerability if a vendor releases a patch before the 90 window expires. The idea is to give users time to install and protect updates. However, if a vendor requests a grace window, it continues through the 30-day update window.
That’s for a case where Google hasn’t discovered that a vulnerability is already being actively exploited. Before that happened, Google disclosed full details within seven days of notification. In the future, it will reveal the vulnerability after seven days, but will wait another 30 days for technical details to be released.
That only applies to 2021, because next year Google plans to shorten all of its windows slightly. Starting in 2022, Project Zero will transition to an “84 + 28” model – 84 days to disclosure, plus an additional 28 days to full details. Project Zero hopes that shortening the windows will encourage faster patch development. It also suggests that moving to days divisible by seven reduces the likelihood of a deadline falling on a weekend – when software vendors typically have days off.
Source: Project Zero