When Google launched its Project Zero initiative in July of 2014, it ruffled more than a few feathers throughout the software development community. With a clear brief to find, and expose, bugs and vulnerabilities in software apps from any and all developers, Google’s Project Zero couldn’t help but stir up a bit of a storm. The push back has been ongoing, with software developers all but accusing Google of holding them to ransom. Still, Google remained unmoved, and stuck to their 90 day zero hour deadline. Once the Project Zero team identified an exploitable vulnerability in a software app, the developing firm was given 90 days to provide a workable patch to fix the bug. Otherwise, Google would make the vulnerability public. No ifs; no ands; no buts. Naturally, software developers around the world were less than impressed, lobbying Google to change their disclosure policies. After less than a year, it seems Google is coming around and will be relaxing their Project Zero Deadlines.
The Zero Hour Deadline
Google still contends that the 90 day deadline is a workable standard, arguing that it forces developers to address software vulnerabilities in a timely manner. However, the recent exposure of a Windows 8.1 security vulnerability angered Microsoft, who was literally just a few days away from delivering a patch that addressed the issue. Microsoft argued that Project Zero’s unwillingness to adjust their timetable, and to work with developers, put users at risk and ultimately damaged the company’s reputation. The public row between Google and Microsoft over the exposure may have been the most high profile incident in Project Zero’s brief history, but it is by no means the only one. Other software developers have made similar complaints, demanding that Google relax its draconian policies and work with firms who are actively trying to meet the deadline and provide workable software patches for the public.
Google Extends Project Zero Deadlines (Somewhat)
The public and private backlash against Project Zero’s deadlines has not gone unnoticed by Google. While they continue to defend the idea that disclosure deadlines should be an industry standard, they have agreed to make some concessions. The 90 day disclosure deadline is not going to be retired, but it is going to undergo some subtle changes. Moving forward, Project Zero’s revised disclosure deadline will now allow for weekends and holidays, essentially making it a 90 workday deadline. In addition, software developers who contact the Project Zero team, and demonstrate that they have a workable patch in development will be given a grace period of an additional 14 days to complete and launch the software patch. Google hopes this small concession will help cool the ire of software developers whose apps have come under scrutiny from Project Zero.
Software Swings and Roundabouts
Google’s announcement that it would slightly relax the Project Zero disclosure deadline has been met with a chilly response. Software developers still claim that Google is acting in a rather high handed manner, and may be playing into the hands of hackers and cyber criminals by publicly exposing software vulnerabilities. However, Google has been quick to point out that they are not above their own policies, stating that “Project Zero has bugs in the pipeline for Google products” as well, and that they are “subject to the same deadline policy”.
Software developers may be unhappy with Project Zero’s policies, but clearly Google has no intention of making any further concessions at this time. The extension of deadlines for works in progress is meant to allow the extra time developers need to successfully launch their patches. It should not be taken as a pass for lazy software developers and vendors who are slow to react to important security issues in their products. Google’s Project Zero may not be welcomed by the software developing community at large, but clearly Google accessories intends to continue with their initiative while giving developers and vendors no quarter.