Google gives developers more time to fix security flaws before revealing them

See the original posting on The Verge

Google’s Project Zero, announced last year as a way to bolster internet security, had Google engineers identifying “zero day” vulnerabilities in software and services — previously unknown security flaws that developers have had no time to patch or fix. When its engineers found such vulnerabilities, Google would originally give the developers a strict 90-day window to issue a fix, before making an exploit or security hole public. At the time of launch, the search giant believed the timeframe would give developers enough time to cook up a fix, but in the face of criticism, it’s now extended that 90-day period.

If developers contact Google and indicate that a fix is being put together, but won’t be ready in time for the 90-day window, then…

Continue reading…