{"id":6004,"date":"2025-08-09T05:06:54","date_gmt":"2025-08-09T05:06:54","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/09\/google-project-zero-changes-its-disclosure-policy-html\/"},"modified":"2025-08-09T05:06:54","modified_gmt":"2025-08-09T05:06:54","slug":"google-project-zero-changes-its-disclosure-policy-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/09\/google-project-zero-changes-its-disclosure-policy-html\/","title":{"rendered":"Google Project Zero Changes Its Disclosure Policy"},"content":{"rendered":"\n<div>Google Project Zero Changes Its Disclosure Policy<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Google\u2019s vulnerability finding team is again <a href=\"https:\/\/www.infosecurity-magazine.com\/news\/google-report-new-vulnerabilities\/\">pushing the envelope<\/a> of responsible disclosure:<\/p>\n<blockquote>\n<p>Google\u2019s Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period allowed for patch adoption if the bug is fixed before the deadline.<\/p>\n<p>However, as of July 29, Project Zero will also release limited details about any discovery they make within one week of vendor disclosure. This information will encompass:<\/p>\n<ul>\n<li>The vendor or open-source project that received the report\n<\/li>\n<li>The affected product\n<\/li>\n<li>The date the report was filed and when the 90-day disclosure deadline expires <\/li>\n<\/ul>\n<\/blockquote>\n<p>I have mixed feelings about this. On the one hand, I like that it puts more pressure on vendors to patch quickly. On the other hand, if no indication is provided regarding how severe a vulnerability is, it could easily cause unnecessary panic.<\/p>\n<p>The problem is that Google is not a neutral vulnerability hunting party. To the extent that it finds, publishes, and reduces confidence in competitors\u2019 products, Google benefits as a company.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Bruce Schneier<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/www.schneier.com\/blog\/archives\/2025\/08\/google-project-zero-changes-its-disclosure-policy.html\">Go to bruce schneier<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google Project Zero Changes Its Disclosure Policy Google\u2019s vulnerability finding team is again pushing the envelope of responsible disclosure: Google\u2019s Project Zero team will retain its existing 90+30 policy regarding vulnerability disclosures, in which it provides vendors with 90 days before full disclosure takes place, with a 30-day period allowed for patch adoption if the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,1363,163,476,1,416],"tags":[87],"class_list":["post-6004","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-disclosure","category-google","category-patching","category-uncategorized","category-vulnerabilities","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6004"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=6004"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/6004\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=6004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=6004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=6004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}