Google’s Project Zero has recently publicly disclosed security vulnerabilities in several popular applications, including some made by Microsoft. The disclosures were controversial because Google gave the developers just 90 days to fix the bugs before it made the information public. In response to the criticism, Google is adding a 14-day grace period to its disclosure deadline.
A Google blog post explained, “We believe the policy updates are still strongly in line with our desire to improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline.”
According to Google, 95 percent of the bugs that the Project Zero team finds and reports to software developers are fixed within 90 days.