Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to gives users time to install patches before technical details are revealed.

That means developers will still have 90 days to fix regular bugs (with a 14-day grace period if requested), but Google will wait an additional 30 days before disclosing the details publicly.

For flaws being actively exploited in the wild (zero-day), companies still have seven days to patch, with a three-day grace period on demand. However, Google will now wait 30 days before revealing the technical details. 

Last year, the team started iterating on disclosure policy with a focus on faster and more thorough patch deployment, as well as improved patch adoption.


Moving to a “90+30” model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details while advocating to reduce the amount of time that end users are vulnerable to known attacks.

Priyanshu Vijayvargiya

Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a Reply

Your email address will not be published. Required fields are marked *