Google’s Security Approach: A New Era for Vulnerability Disclosure
It seems Google is shifting gears when it comes to how they handle software vulnerabilities, and this might stir up some discussions. The tech giant’s Project Zero, which focuses on sussing out hidden software issues (nickname: zero-days), is adopting a new strategy aimed at hastening the patch process.
Previously, when Project Zero uncovered a flaw, they would give software vendors a 90-day grace period to fix it. If a vendor managed to roll out a patch, the team would wait an additional 30 days before going public with the vulnerabilities.
However, in a move designed to pressure vendors to step up their game on patch rollouts, Project Zero has revamped its disclosure policy. The key change? They’ll now announce the existence of uncovered flaws—and the names of the products involved—within just one week of alerting the company to the issue.
At a trial run of their new policy, Project Zero has already flagged two new vulnerabilities in Microsoft Windows and three in Google’s product d “BigWave”, which some speculate might connect to a video codec.
(Credit: Project Zero)
In an effort not to invite unwanted attention from hackers, Google won’t be revealing specific details about the flaws or how serious they are just yet. Tim Willis, the head of Project Zero, made it clear: “No tech specs, no proof-of-concept snippets, and no info that could ease the discovery process will be shared until the deadline has passed. We aim for transparency that warns, not for a blueprint for exploitation.”
The drive behind this update seeks to close what is called the “upstream patch gap.” This occurs when software companies manage to fix flaws, yet their partners who need to distribute the updates lag behind, leaving users at risk.
Willis believes that greater visibility into vulnerabilities will prompt better communication between the software vendors and their ecosystem partners, ultimately leading to faster updates and a reduction of those security risks for end users.
“We’re hoping this trial period will pave the way for stronger dialogues surrounding security concerns, resulting in swifter patches and boosting user awareness,” he added.
(Credit: Steven Puetzer via Getty Images)
Of course, Project Zero understands that throwing light on unpatched bugs is a double-edged sword. This policy might raise eyebrows from some vendors—including Google—since it places their unresolved issues front and center. That’s likely why they’ve decided to tee up this policy as a trial, monitoring closely how it all plays out.
Willis also recognized that some vendors might find the extra spotlight discomforting, particularly those without intricate software ecosystems. Nevertheless, he emphasized that the current small fold of vendors, who still face issues without robust communication channels, represents a small slice of the vulnerabilities surfacing via Project Zero reports. In his view, the positive effects of transparency will outweigh any challenges these certain vendors face.
A recent FAQ section provided by Project Zero has previously defended the rationale behind making certain vulnerabilities public. “Given the complexity of software, vulnerabilities are a given. Situations like announcing a flaw in the Android media server do not pose significant risk to attackers,” the document states.
Just so you know: As of July 29, 2025, Project Zero identified a hefty 2,131 vulnerabilities under a 90-day timeout in their tracking system. Out of these, 95 vulnerabilities were disclosed without a patch in sight for users.
