Google has announced that they will not publish vulnerabilities details for 30 days after the initial public disclosure, allowing customers more time to fix the bugs and implement patches before technical details are released that could potentially be used by an attacker to exploit the flaw. Google’s Project Zero team typically maintains a strict 90-day policy of public vulnerability disclosure after vendor notification, in order to pressure firms to patch bugs quicker. According to Google, the extra 30-day grace period only applies to bugs that are fixed within the initial 90 days, if an issue remains unpatched by the vendor for the duration of the period, the technical details will be published immediately.
Google also added the extra 30-day period to bugs being actively exploited in the wild against consumers. The early release of details surrounding each bug helps the defensive community and protects users, however, it also risks inviting opportunistic attacks and alerting bad actors to technical details of flaws, what they are, where to find them, and sometimes how to exploit them.
Read More: Google to Delay Publishing Bug Details for 30 Days
