Google Project Zero’s new “Reporting Transparency” policy, launched as a trial, aims to increase transparency about security vulnerabilities by making public certain information within one week of reporting a bug to a vendor. The team will now disclose:
- The name of the vendor or open-source project receiving the report.
- The affected product.
- The date the report was filed.
- When the standard 90-day disclosure deadline expires.
No technical details, proof-of-concept code, or information that could assist attackers will be released at this early stage—only basic facts to signal that a vulnerability affecting particular products is under review.
Purpose and Motivation
The policy specifically targets the “upstream patch gap,” a period not just between when a fix is released and when users install it, but the earlier stage when an upstream vendor has a fix available but downstream vendors—who actually deliver the fix to end users—have not yet deployed it. Project Zero found that this upstream gap can greatly extend the lifecycle of a vulnerability, leaving users at risk for longer periods.
By announcing the existence of a vulnerability early, even without details, Project Zero hopes to:
- Inform downstream vendors and encourage faster fixes throughout the software supply chain.
- Spur better communication between upstream and downstream stakeholders regarding security.
- Allow security teams and the public to track how quickly fixes move from discovery to user protection.
Implementation and Safeguards
- The existing 90+30 day policy remains: vendors get 90 days to fix the bug, then a 30-day patch adoption window if the fix is early.
- Early reporting contains only high-level, non-exploitative data.
- The impact of this transparency trial will be closely monitored, with Project Zero emphasizing that the change seeks a safer ecosystem, not to create unwanted attention or a blueprint for attackers.
Where to Find These Disclosures
Project Zero is maintaining a public reporting page tracking each vulnerability as it is reported, with updates on its fixation status and deadlines. This lets anyone see current outstanding and fixed disclosures tracked by this transparent process.
In summary, Google’s Project Zero “Reporting Transparency” enhances visibility into vulnerability lifecycles, promotes proactive patching, and aims to close the persistent gap between bug discovery, patch release, and true end-user protection.
