Google backs off – just a little – on Project Zero

The controversial Project Zero made Google a lot of enemies, from software giants to companies and individual users caught in the middle. Now Google is deciding to take it a little easier on its critics. 

To recap: Project Zero is a Google initiative to find flaws and vulnerabilities in a variety of products – not just its own. So Google has gone bug-hunting in Microsoft and other competitors’ software, operating systems and more.

If a bug was found, Google notified the vendor and started a 90-day countdown. At the end of those 90 days, it made the vulnerabilities public – even to hackers who might be learning about them for the first time and how to take advantage of them.

Sometimes, companies weren’t able to meet the 90-day deadline, and their flawed code was put out for the world to see and take advantage of.

That very situation happened multiple times with Microsoft.

Project Zero became Project zero-day.

Grace period added

After a lot of criticism (Microsoft was particularly angry that this 90-day deadline ran afoul of its normal Patch Tuesday schedule) Google has relented.

It’ll now hold off on any public announcement for 14 more days once the 90 days runs up if the vendor alerts Google that a fix is on its way. It’ll also allow for a grace day when the deadline falls on a major holiday.

After all, Google doesn’t want to ruin anyone’s Christmas. That would be evil.

None of this solves the underlying debate: Is Google right to publicly disclose known vulnerabilities so that hackers can take advantage of them?

On the one hand, naming and shaming could encourage faster patch releases by companies (or force their hand into releasing patches that they otherwise would’ve ignored). But on the other hand, knowingly airing someone else’s dirty laundry isn’t a way to win any sympathy – especially because doing so leaves everyday users more at risk than companies.

This is for sure: The controversy won’t be going away in the foreseeable future. So in the meantime, make sure your patching policies are solid and ready to go into action as soon as a vulnerability becomes known.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy