Latest in Gear

Image credit: dusanpetkovic via Getty Images

Google's new policy gives developers more time to address security flaws

You might see fewer companies rushing out half-baked patches.
74 Shares
Share
Tweet
Share

Sponsored Links

dusanpetkovic via Getty Images

Google's Project Zero disclosure program is supposed to encourage releases of security fixes in a timely fashion, but things haven't gone according to plan. Premature disclosures, half-hearted fixes and other issues have been a little too common. The company might address some of those problems in 2020, though. It recently revised its policies in a bid to encourage both more "thorough" security patches and wider adoption of those patches. Most notably, Google will wait 90 days to disclose a flaw even if it's fixed well ahead of that deadline. If developers act quickly, they'll have more time to both distribute patches and make sure that fixes address the root cause of a flaw.

There are more reforms. If there's an incomplete fix, it'll be reported to the developer and added to an existing report. Before, it would sometimes be treated as a separate problem with its own deadline. Google will also open tracker reports the moment a flaw is patched during the "grace period" (a 14-day window available if a developer will just miss the 90-day target) and on the 90th day.

Google plans to test the revamped Project Zero approach throughout the whole of 2020, and might make it permanent if there aren't problems.

This should increase the chances that you'll be well-protected against exploits before they're made public. At the same time, it doesn't address concerns that Google's come-hell-or-high-water approach to disclosures has sometimes led to disclosures while patches were in the works, either forcing a hasty release or leaving users exposed. You could still see instances where you have no choice but to live with an elevated risk.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
74 Shares
Share
Tweet
Share

Popular on Engadget

Google fully explains why its apps aren't on new Huawei phones

Google fully explains why its apps aren't on new Huawei phones

View
WSJ: Comcast's NBCUniversal is in advanced talks to acquire Vudu

WSJ: Comcast's NBCUniversal is in advanced talks to acquire Vudu

View
'Friends' cast is locked in for a reunion special to launch HBO Max

'Friends' cast is locked in for a reunion special to launch HBO Max

View
Google search is showing invitations to private WhatsApp groups

Google search is showing invitations to private WhatsApp groups

View
The Hot Wheels RC Cybertruck is a mini Tesla for $400

The Hot Wheels RC Cybertruck is a mini Tesla for $400

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr