Back in 2014, Google announced Project Zero which is basically an initiative taken on by Google themselves to help spot bugs, vulnerabilities, exploits, in hopes that they will be able to prevent any security disasters on phones, computers, and etc. It is a noble effort although Google’s 90-day policy before public disclosure has rubbed some companies the wrong way.
Ultimately we suppose Google just wants to keep the internet safe and perhaps in a bid to prevent further unhappiness at their practices, Google’s Project Zero team has recently announced that they will be extending that 90-day period by an additional 14-days, but only if the vendor were to inform them in advance before the deadline.
According to Google, “We now have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).”
Of course this isn’t as generous compared to other companies who give longer grace periods, such a ZDI who gives companies a 120-day grace, but we suppose it is better than nothing and could go a long way in ensuring a better relationship between Google and some of these vendors.