The Google Project Zero will change the deadline of 90 days in a new model that incorporates a new 30-day grace period to give users time to install updates before the technical details of a vulnerability are revealed.
Project maintains a 90-day disclosure period for vulnerabilities that have not been fixed; however, if an update occurs within this disclosure period, the technical details will be displayed 30 days after the release of the update.
For exploits already on the internet, the disclosure will take place one week after the notification, along with the technical details if they are not fixed.
In very rare cases Project Zero has given developers a grace of fifteen days after the revelation, or a period of 3 days for very dangerous exploits. This period will now be part of the grace of the 30 days before the technical details are released.
"Switching to a '90 +30 μοντέλο model allows us to correct the adoption time of the update, while supporting the reduction of the time that users are vulnerable to known attacks.