Google’s Project Zero, a team dedicated to identifying and addressing zero-day vulnerabilities, has announced a significant change in its vulnerability disclosure policy. Effective July 29, 2025, the team will publicly disclose the existence of security vulnerabilities within seven days of notifying the affected vendors. This initiative, termed “Reporting Transparency,” aims to expedite the remediation process and enhance communication between upstream vendors and downstream dependents.
Understanding the “Reporting Transparency” Initiative
Traditionally, Project Zero adhered to a “90+30” disclosure policy. This framework provided vendors with a 90-day window to develop and release patches for identified vulnerabilities. If a patch was issued within this period, Project Zero would wait an additional 30 days before publicly disclosing the vulnerability details, allowing users ample time to apply the updates. However, this approach often led to delays in patches reaching end-users, especially when downstream vendors were slow to integrate upstream fixes.
The new “Reporting Transparency” policy introduces an early disclosure phase. Within seven days of notifying a vendor about a vulnerability, Project Zero will publicly share basic information, including:
– The name of the affected vendor or open-source project.
– The specific product impacted.
– The date the vulnerability was reported.
– The 90-day deadline for public disclosure.
Crucially, this early disclosure will not include technical details, proof-of-concept code, or exploit information, ensuring that malicious actors cannot exploit the vulnerability before a patch is available.
Addressing the “Upstream Patch Gap”
One of the primary motivations behind this policy shift is to tackle the “upstream patch gap.” This term refers to the period between an upstream vendor releasing a fix and downstream vendors integrating and distributing that fix to end-users. In complex supply chains, especially those involving foundational technologies like chipset drivers and embedded systems, this gap can be substantial.
By publicly disclosing the existence of vulnerabilities early in the process, Project Zero aims to:
– Enhance Transparency: Inform all stakeholders, including downstream vendors and end-users, about potential security issues, prompting quicker action.
– Accelerate Patch Adoption: Encourage downstream vendors to prioritize integrating upstream fixes, reducing the time it takes for patches to reach end-users.
– Strengthen Communication: Foster better collaboration between upstream and downstream vendors, ensuring that security patches are disseminated more efficiently.
Implications for Vendors and Users
For vendors, this policy change underscores the importance of prompt and coordinated responses to security vulnerabilities. The early public disclosure serves as a call to action, urging vendors to expedite their patch development and distribution processes.
End-users benefit from increased awareness of potential security issues affecting their devices and software. While the early disclosures won’t provide technical details, they alert users to be vigilant and proactive in applying updates once they become available.
Balancing Transparency and Security
A potential concern with early disclosure is the risk of malicious actors exploiting the information before patches are available. Project Zero has addressed this by ensuring that the initial disclosures are limited to basic information, devoid of technical specifics that could aid in developing exploits. This approach aims to strike a balance between transparency and security, keeping the public informed without increasing the risk of exploitation.
Conclusion
Google Project Zero’s “Reporting Transparency” initiative marks a significant evolution in vulnerability disclosure practices. By publicly announcing vulnerabilities shortly after vendor notification, the team aims to reduce the time it takes for patches to reach end-users, enhance communication within the software supply chain, and ultimately improve overall cybersecurity. As this policy is implemented, its effectiveness in achieving these goals will be closely monitored, with the potential for further refinements based on observed outcomes.
