Reports will include the impacted product and the vendor or open-source project behind the product but not technical information that could be leveraged by threat actors.
Google Project Zero has committed to publicly sharing vulnerability details within a week of the issue's disclosure to the vendor in a bid to accelerate the timeline between the release and application of security patches.
According to CyberScoop, early vulnerability reports will include the impacted product and the vendor or open-source project behind the product, as well as the report filing date and 90-day disclosure deadline. However proof-of-concept details or other technical information that could be leveraged by threat actors will not be included, which will maintain the 90+30 disclosure deadline policy for vendors and affected customers.
"This data will make it easier for researchers and the public to track how long it takes for a fix to travel from the initial report, all the way to a user's device," said Google Project Zero Head Tim Willis, who noted an ongoing assessment of the policy change's impact on vulnerability remediation efforts.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
