Google’s Project Zero disclosure program was brought out so that security fixes can be released promptly. But things had gone sideways with premature disclosures, incomplete fixes and more.
But Google is planning for some serious revisions in 2020 and its latest policies are addressing some of these issues. Interestingly, Google will not wait about 90 days to disclose a flaw even if it is fixed ahead of time, giving developers time to both distribute the patches and also ensure that they have addressed the root cause of the flaw. Also if the fix is incomplete, it’ll be reported to the developer and added to an existing report.
Google is also planning to open tracker reports the very second a flaw is patched within a certain time frame (14 days) if the developer missed the 90-day target. The latest plans of Google are set to roll out throughout 2020 like a test phase.
This will also increase the chances of the user being protected against exploits before they’re made public. But this isn’t the whole picture, Google’s come-hell-or-high-water approach to disclosures has sometimes led to disclosures while patches were in the works, either forcing a hasty release or leaving users exposed.