There's no hard-and-fast rule when it comes to disclosing security vulnerabilities. Most researchers coordinate their public disclosure with the affected company, however, or at least give them 90 days to address the problem before it's exposed. Google Project Zero announced yesterday that it's testing a new disclosure policy in 2020 that will see it give all companies the full 90 days even if the bug is fixed early.
Project Zero is a team of security researchers who look for zero-day vulnerabilities in tech products. The researchers then share information about the security flaws with the affected company so they can be addressed before they're made public. That way they aren't offering technical explanations for previously unknown vulnerabilities that attackers can exploit before the company releases a fix.
That's changing in 2020. Project Zero said it now treats the 90-day period as a minimum rather than a maximum. As the team succinctly put it in a blog post: "Fix a bug in 20 days? We will release all details on Day 90," it said. "Fix a bug in 90 days? We will release all details on Day 90." The new policy does allow for early public disclosure, however, if the affected company and Project Zero both agree to it.
"Disclosure policy is a complex topic with many trade-offs to be made. We don't expect this policy to please everyone, but we’re optimistic that it will improve on our current policy, encompasses a good balance of incentives and will be a positive step for user security. We plan to re-evaluate whether it is accomplishing our policy goals in late 2020."
Project Zero made other changes to its policies, too, but the change affecting vulnerability disclosures will be the most readily apparent to the public. More details can be found in the security team's announcement. It's not clear if the new rules will apply to vulnerabilities shared with other companies in late 2019, meaning we could see them publicly disclosed in the coming months, or if it only applies to 2020.
