Google Project Zero will be shifting from a fairly hard 90-day deadline to a new model that incorporates a new 30-day grace period to gives users time to install patches before technical details are revealed.
That means developers will still have 90 days to fix regular bugs (with a 14-day grace period if requested), but Google will wait an additional 30 days before disclosing the details publicly.
For flaws being actively exploited in the wild (zero-day), companies still have seven days to patch, with a three-day grace period on demand. However, Google will now wait 30 days before revealing the technical details.
Last year, the team started iterating on disclosure policy with a focus on faster and more thorough patch deployment, as well as improved patch adoption.
Moving to a “90+30” model allows us to decouple time to patch from patch adoption time, reduce the contentious debate around attacker/defender trade-offs and the sharing of technical details while advocating to reduce the amount of time that end users are vulnerable to known attacks.