To speed up patch rollouts, a Google security team is making a potentially controversial change to how it discloses software vulnerabilities.
The news comes from Google’s “Project Zero,” which is focused on uncovering previously unknown software bugs, also known as zero-days. The group used to give 90 days for a software vendor to patch a flaw before disclosing the vulnerability publicly. (If a vendor releases a patch, the disclosure will arrive 30 days later to give time for users to install it.)
Project Zero is now revising the team’s vulnerability disclosure policy, citing the need to pressure software vendors into better patch adoption. The 90-day disclosure practice remains in effect. But starting today, the team is going to share when it’s discovered a flaw—publicly stating the vendor’s name and product—within one week of reporting the problem to the software maker.
This Tweet is currently unavailable. It might be loading or has been removed.
The new policy is now in effect on a trial basis, leading Project Zero to disclose it’s discovered two new vulnerabilities in Microsoft Windows, along with three flaws in Google’s “BigWave” product, possibly a reference to a video codec.
(Credit: Project Zero)
To avoid tipping off hackers, the new practice won’t disclose the exact nature of the reported flaws or their severity. “We want to be clear: no technical details, proof-of-concept code, or information that we believe would materially assist discovery will be released until the deadline,” Google’s head of Project Zero, Tim Willis, wrote in the announcement. “Reporting Transparency is an alert, not a blueprint for attackers.”
Project Zero is making the change to tackle what it calls the “upstream patch gap”—or when a software vendor publishes a fix for a flaw, but the “downstream” partners responsible for actually shipping the security update fail to do so, leaving users vulnerable.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
According to Willis, the greater transparency promises to “shrink the upstream patch gap” since the downstream partners won’t be left in the dark about a vulnerability that’s being fixed. It also keeps consumers in the loop, at least for findings from Project Zero.
“We hope that this trial will encourage the creation of stronger communication channels between upstream vendors and downstream dependents relating to security, leading to faster patches and improved patch adoption for end users,” Willis added.
(Credit: Steven Puetzer via Getty Images)
Still, Project Zero is aware the change might ruffle some feathers (including Google, which maintains the Android OS), since the same policy also puts a spotlight on unfixed bugs. It’s probably why Project Zero has decided to conduct the new disclosure practice as a trial with the goal of “closely monitoring its effects.”
Recommended by Our Editors
“We understand that for some vendors without a downstream ecosystem, this policy may create unwelcome noise and attention for vulnerabilities that only they can address,” Willis added. “However, these vendors now represent the minority of vulnerabilities reported by Project Zero. We believe the benefits of a fair, simple, consistent and transparent policy outweigh the risk of inconvenience to a small number of vendors.”
In an FAQ, Project Zero previously defended warning the public about the existence of certain flaws. “All software of sufficient complexity will contain vulnerabilities, so saying things like ‘I just reported a vulnerability in the Android media server’ isn’t materially useful information for an attacker,” the FAQ says.
The page also adds: “As of July 29, 2025, we have 2,131 vulnerabilities with a 90-day deadline in a ‘New’ or ‘Fixed’ state in our issue tracker, and 95 vulnerabilities have been disclosed without a patch being made available to users.”
About Michael Kan
Senior Reporter
