Policy and Disclosure: 2025 Edition

Google Project Zero updated its vulnerability disclosure policy to a "90+30" model, aiming for faster patch development and adoption. A significant challenge remains: the "patch gap," the delay between a fix's release and user installation. Project Zero identified an earlier delay, the "upstream patch gap," where upstream vendors have fixes but downstream dependents haven't integrated them. This upstream gap significantly extends vulnerability lifecycles. To address this, a new trial policy, "Reporting Transparency," is announced. This trial adds public disclosure within a week of reporting a vulnerability, including the vendor, product, report date, and disclosure deadline. The core 90+30 policy remains, and Google Big Sleep also trials this policy. The goal is to shrink the upstream patch gap by increasing transparency, informing downstream dependents and encouraging better communication. The trial aims to track the time from report to user device installation, highlighting when fixes are not applied. No technical details will be released until the deadline; this is an alert, not a blueprint for attackers. While some vendors might face unwelcome attention, the benefits outweigh the risks for a minority. The ultimate goal is a safer ecosystem with vulnerabilities remediated on user devices. This is a trial, and Project Zero will monitor its effects and adapt policies accordingly.