Google Extends Project Zero Deadline For Developers to Fix Security Flaws
Project Zero, launched by Google last year, is a program in which researchers find security flaws in software and services, the creators of bugged software are given a deadline to fix those flaws otherwise the flaws are made public. The deadline duration was 90 days but now Google has extended it, allowing leniency of 14 days.
In this program, Google engineers would identify “zero day” vulnerabilities — previously unknown security flaws — in software. After identifying these vulnerabilities, Google would initially give developers a 90-day deadline to fix the issue. If the developers were unable to fix it in the given time, the search giant would make the exploit or security hole public.
Google faced criticism for giving a strict deadline to the developers. While Google believed that 90 days were enough to fix any kind of flaw and keep consumers safe from security attacks, developers thought otherwise; 90 days were not enough for them.
Among the protesters was Microsoft, which was given a 90-day deadline too when Google engineers found a security loophole in Windows 8.1. The Redmond company failed to fix the issue in 90 days but had planned to release the security patch after two days when Google made the security hole in Windows public.
Microsoft criticized Google’s Project Zero, claiming that “less like principles and more like a ‘gotcha.'” The company also argued that Google’s approach was eventually hurting customers by making the security flaws public. By doing so, Google was telling the security flaws to even those who were not aware of them before, argued Microsoft.
All this criticism has forced Google to allow for some leniency in the 90-day deadline. Now if the developers are unable to fix the patch in 90 days, they can request for a “grace period” of 14 days which would be allowed if they are working on the patch. Moreover, “if a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day,” mentioned Google in a blog post.
In its defense, Google mentioned that people involved in exploiting security flaws spend much more effort than people involved in enhancing security of software. They are probably aware of the loopholes way before Google engineers of Project Zero identify them. So a 90-day deadline is optimal for user security.
The search giant gave the example of Carnegie Melon University’s CERT program, similar to Project Zero, which gives 45 days to developers to fix the security flaws found in software and services.