The Google Project Zero will change the deadline of 90 days in a new model that incorporates a new 30-day grace period to give users time to install updates before the technical details of a vulnerability are revealed.
Project maintains a 90-day disclosure period for vulnerabilities that have not been fixed; however, if an update occurs within this disclosure period, the technical details will be displayed 30 days after the release of the update.
For exploits which are already online, the reveal will take place one week after notice, along with the technical details if not fixed.
In very rare cases the Project Zero has given developers a fifteen-day grace period after disclosure, or a 3-day period for very dangerous exploits. This period will now be part of the 30 day grace period before the technical details are released.
“Moving to a '90+30' model allows us to fix update adoption time while supporting the reduction of time users are vulnerable to known attacks.
