Google’s vulnerability discovery team is once again advancing the boundaries of responsible disclosure:

Google’s Project Zero team will continue its established 90+30 policy for vulnerability disclosures, which grants vendors a 90-day period prior to full disclosure, along with an additional 30 days for patch implementation if the flaw is resolved before the deadline.

However, starting from July 29, Project Zero will also share limited insights about any findings they make within one week following vendor disclosure. This information will include:

• The vendor or open-source initiative that received the notification
• The impacted product
• The date the notification was submitted and when the 90-day disclosure deadline concludes

I have conflicting thoughts on this matter. On one side, I appreciate that it increases pressure on vendors to remedy issues swiftly. Conversely, if no indication is given regarding the severity of a vulnerability, it could easily induce unwarranted alarm.

The issue is that Google is not an impartial party in the search for vulnerabilities. To the extent that it identifies, publishes, and diminishes trust in rival products, Google reaps benefits as a corporation.