In a blog post today, the Google Security team announced changes to policies on full disclosure of bugs found by Project Zero, the security research team that uncovered zero-day vulnerabilities recently revealed in Microsoft's Windows 8.1 and Apple's OS X operating systems. Those disclosures, which were made 90 days after Google alerted Microsoft and Apple in accordance with Project Zero's strict release policy, stirred controversy because they had not yet been patched—and gave attackers time to leverage them before Microsoft and Apple distributed fixes.
The announcement, authored by Project Zero's Chris Evans and Ben Hawkes, Google Security's Heather Adkins, Matt Moore, and Michal Zalewski, and Google Security Vice President Gerhard Eschelbeck noted, "Disclosure deadlines have long been an industry standard practice," citing the disclosure policies of the Carnegie-Mellon CERT, Yahoo, and TippingPoint's Zero Day Initiative. Deadline policies for vendor disclosure "improve end-user security by getting security patches to users faster," the Google team stated.
Project Zero set a 90-day deadline, and since Project Zero's launch, Google's team claimed, "of the 154 Project Zero bugs fixed so far, 85% were fixed within 90 days. Restrict this to the 73 issues filed and fixed after Oct 1st, 2014, and 95% were fixed within 90 days." The Microsoft and Apple bugs disclosed and other deadline misses by vendors, they noted, "were typically fixed very quickly after 90 days. Looking ahead, we’re not going to have any deadline misses for at least the rest of February."