Google Changes Policy on 90 Day Bug Release
posted Sunday Feb 15, 2015 by Scott Ertz
Google's Project Zero has not been met with a lot of acceptance from the software community, but has received particular flack from Microsoft. It is a reasonable response from a company who seems to have been specifically damaged by Project Zero's 90 day release policy. That policy, which has been unalterable by the company, has unfortunately released information about Microsoft vulnerabilities before the company has had a chance to patch them. That is an incredibly unusual circumstance in the security world, where the normal policy is to inform the developer of their issue, allow them to patch it, then release the terms of the issue.
This week, Google revised its policy on releasing information on a strict 90 day schedule. They said that they would begin to give their vendors an additional 14 days, so long as the company promised to fix the issue within that 2 week period.
We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
Unfortunately, as any software developer will tell you, a hard-set release schedule set by someone outside of your development environment is insane. Some patches are deeper into the system and require significant changes higher up as the initial change is made. Some of these changes simply cannot be made within a 90 day period, and to expect it shows a complete lack of understanding of the software process. It is understandable, though, for a company so totally removed from well-built software.
It will be interesting to see in the coming months which "vendors" they decide to apply these more lenient rules to. Will Microsoft see 14 day grace periods, or will it be just for, as they say, "bugs in the pipeline for Google products?"