There's no hard-and-fast rule when it comes to disclosing security vulnerabilities. Most researchers coordinate their public disclosure with the affected company, however, or at least give them 90 days to address the problem before it's exposed. Google Project Zero announced yesterday that it's testing a new disclosure policy in 2020 that will see it give all companies the full 90 days even if the bug is fixed early.
Project Zero is a team of security researchers who look for zero-day vulnerabilities in tech products. The researchers then share information about the security flaws with the affected company so they can be addressed before they're made public. That way they aren't offering technical explanations for previously unknown vulnerabilities that attackers can exploit before the company releases a fix.
Google previously gave companies 90 days to resolve issues before it would publicly reveal them. If the company released a fix before that 90-day period was over, however, Project Zero could decide to disclose the vulnerability early. The 90-day period was treated as a maximum rather than a guaranteed length of time between sharing details of a vulnerability in private and broadcasting them to everyone else.
That's changing in 2020. Project Zero said it now treats the 90-day period as a minimum rather than a maximum. As the team succinctly put it in a blog post: "Fix a bug in 20 days? We will release all details on Day 90," it said. "Fix a bug in 90 days? We will release all details on Day 90." The new policy does allow for early public disclosure, however, if the affected company and Project Zero both agree to it.
Project Zero said that it will evaluate this new policy for 12 months before deciding whether or not to make it permanent. That should be long enough for the team to receive feedback from numerous companies, evaluate the effectiveness of the policy and determine if there were any unforeseen consequences. Not that it will be surprised if some take issue with the new policy, as it explained in the blog post:
"Disclosure policy is a complex topic with many trade-offs to be made. We don't expect this policy to please everyone, but we’re optimistic that it will improve on our current policy, encompasses a good balance of incentives and will be a positive step for user security. We plan to re-evaluate whether it is accomplishing our policy goals in late 2020."
Project Zero made other changes to its policies, too, but the change affecting vulnerability disclosures will be the most readily apparent to the public. More details can be found in the security team's announcement. It's not clear if the new rules will apply to vulnerabilities shared with other companies in late 2019, meaning we could see them publicly disclosed in the coming months, or if it only applies to 2020.
