What is Google Project Zero

Google's Project Zero will post security vulnerabilities with a delay

Google's Project Zero is trying a new method to persuade software providers to fix security vulnerabilities more quickly, while at the same time giving end users time to install the updates. At first glance, the new approach seems absurd: The public should be informed later than before. But Google thought something about it.

Google's "Project Zero" team tracks down weaknesses and errors in Google's own software as well as in software developed by other companies. The security team forwards any security gaps found directly to the provider. The software authors then have 90 days to correct the errors. So far, Google has informed the public after 90 days. So far, Google has already published vulnerabilities actively exploited by attackers after seven days.

The new approach

In the case of not actively exploited vulnerabilities, Google continues to grant the authors 90 days for the time being. If they do not provide any patches by then, the public will be informed immediately. However, if there is a patch, Google waits 30 days from the availability of the update before publicly disclosing the vulnerability. So it can take up to 120 days for the public to get wind of it.

Software vendors can request an additional 14 days from Project Zero. Even then, the security team will go public after 120 days at the latest. The background to this is the fundamental question of who will benefit more from publications, users or attackers. The question is old and cannot be answered universally.

Shorter deadlines in acute danger

In the case of actively exploited security gaps, Google only grants the providers seven days. The software authors can apply for a three-day extension. If there is then no fix, Google immediately goes public.

However, if there is a fix within seven days, Google waits another 30 days. So it can take up to 37 days for Google to inform the public about actively exploited vulnerabilities.

Over time, Project Zero would like to gradually reduce the deadlines to encourage vendors to provide faster security updates. For example, 90 + 30 days could become 60 + 30 days. First, however, Project Zero will evaluate the effects of the new approach.


Read comments (5) Go to the homepage


Whether security gaps, viruses or Trojans - all security-relevant messages are available from heise Security

E-mail address

You can find detailed information on the dispatch procedure and your cancellation options in our data protection declaration.