Project Zero – Policy and Disclosure: 2025 Edition

Summary

Posted by Tim Willis, Google Project Zero In 2021, we updated our vulnerability disclosure policy to the current "90+30" model. Our goals were to drive faster yet thorough patch development, and improve patch adoption. While we’ve seen progress, a significant challenge remains: the time it takes for a fix to actually reach an end-user's device.This delay, often called the "patch gap," is a complex problem. Many consider the patch gap to be the time between a fix being released for a security vulnerability and the user installing the relevant update. However, our work has highlighted a critical, earlier delay: the "upstream patch gap". This is the period where an upstream vendor has a fix available, but downstream dependents, who are ultimately responsible for shipping fixes to users, haven’t yet integrated it into their end product.As Project Zero's recent work has focused on foundational, upstream technologies like chipsets and their drivers, we've observed that this upstream gap significantly extends the vulnerability lifecycle. For the end user, a vulnerability isn't fixed when a patch is released from Vendor A to Vendor B; it's only fixed when they download the update and install it on their device. To shorten that entire chain, we need to address the upstream delay.To address this, we're announcing a new trial policy: Reporting Transparency.The Trial: Reporting TransparencyOur core 90-day disclosure deadline will remain in effect. However, we're adding a new step at the beginning of the process.Beginning today, within one week of reporting a vulnerability to a vendor, we will publicly share that a vulnerability was discovered. We will share:The vendor or open-source project that received the report.The affected product.The date the report was filed, and when the 90-day disclosure deadline expires.This trial maintains our existing 90+30 policy, meaning vendors still have 90 days to fix a bug before it is disclosed, with a 30-day period for patch adoption if the ...