• Google Project Zero: 90-day disclosure is working, with 97.5% of reported vulns being fixed within 90 days

    Posted on August 2, 2019 at 10:12 CDT by Comment in the Forums

    The details are a little more complicated, but not much. Google’s Project Zero has turned up 1,434 security vulnerabilities in the past four and a half years:

    Of these, 1224 were fixed within 90 days, and a further 174 issues were fixed within the 14-day grace period [granted when it looks like the manufacturer is going to release a patch shortly]. That leaves 36 vulnerabilities that were disclosed without a patch being available to users, or in other words 97.5% of our issues are fixed under deadline.

    Realize that Google has a vested interest in saying that their disclosure policy is good for all of us — debatable, but I strongly agree — and they come to the conclusion:

    If most bugs are fixed in a reasonable timeframe (i.e. less than 90 days), then we are only enforcing the deadline on a very small number of unfixed cases. And if disclosing a handful of unfixed vulnerabilities doesn’t substantially help attackers in the short-term, but does lead to the demonstrated long term benefits of shortened patch timelines and more frequent patching cycles, then it would follow that a deadline based disclosure policy is good for user security overall.

    Interesting report. Thank to Catalin Cimpanu, who has additional observations on ZDNet.

    Windows Patches/Security , ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    March 2025
    S M T W T F S
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.