According to online sources, this year the Google Project Zero team of researchers who work in the field of information security will change their own rules, according to which data on discovered vulnerabilities become public knowledge.
In accordance with the new rules, information about the vulnerabilities found will not be made public until the end of the 90-day period. Regardless of when the developers solve the problem, representatives of Project Zero will not disclose information about it publicly. The new rules will be used during this year, after which the researchers will assess the feasibility of implementing them on a permanent basis.
In the past, Project Zero researchers have given software developers 90 days to fix discovered vulnerabilities. If a patch fixing bugs was released earlier than this period, then information about the vulnerability became publicly available. The researchers felt that this was wrong, since in many cases users have to rush to install updates in order not to become a victim of intruders. The developer can patch the vulnerability, but it doesn't matter if the patch hasn't been widely deployed yet.
Therefore, now, regardless of whether the fix is ββreleased 20 or 90 days after Project Zero informs the developer about the problem, information about the vulnerability will be made public only after 90 days. There are some exceptions to the rules. For example, if researchers and developers come to an agreement, the time to fix the problem can be extended by 14 days. This is possible if software developers need more time to create a patch. The seven-day deadline for fixing vulnerabilities that are already exploited by attackers will remain unchanged.
Researchers from Project Zero note that since the beginning of their activity, better work has been carried out to eliminate the discovered vulnerabilities. For example, in 2014, when the project was just formed, vulnerabilities were sometimes not fixed even six months after they were discovered. Currently, 97,7% of discovered vulnerabilities are fixed by developers within a 90-day period.
Source: 3dnews.ru