Google’s Security Team to Publicly Disclose Unpatched Vulnerabilities: A Proactive Approach to Enhanced Cybersecurity
Google’s Project Zero, dedicated to discovering previously undetected software vulnerabilities, has announced a modification to its vulnerability disclosure policy with the aim of accelerating patch adoption by software vendors. Previously, the team provided vendors 90 days to address a flaw before public disclosure, granting an additional 30 days for users to install any subsequent patch.
Now, Project Zero will publicly disclose the vendor and affected product within one week of reporting a vulnerability to said vendor, while maintaining the 90-day disclosure practice. This change is being implemented on a trial basis, with two newly discovered vulnerabilities in Microsoft Windows and three in Google’s “BigWave” product (possibly a video codec) being the first to be revealed under this new policy.
To prevent tipping off hackers, details about the nature of the reported flaws or their severity will not be disclosed until the 90-day deadline has passed. Google’s head of Project Zero, Tim Willis, stated in the announcement that “Reporting Transparency is an alert, not a blueprint for attackers.”
The policy shift aims to bridge what Project Zero terms the “upstream patch gap,” which occurs when a vendor publishes a fix but fails to distribute it to downstream partners responsible for shipping security updates. The new disclosure practice is intended to provide greater transparency and strengthen communication between upstream vendors and their downstream dependents, ultimately leading to faster patches and improved adoption for end-users.
While acknowledging that the change may spark controversy (including within Google itself as it maintains the Android OS), Project Zero has framed this move as a trial aimed at closely monitoring its effects. In his statement, Willis noted that while some vendors without a downstream ecosystem may view this policy as generating unnecessary attention for unfixed bugs, these vendors represent a minority of vulnerabilities reported by Project Zero.
In a FAQ, Project Zero has defended the practice of informing the public about the existence of certain flaws, stating that such information is not substantially helpful to hackers given the prevalence of software vulnerabilities. As of July 29, 2025, Project Zero has reported 2,131 vulnerabilities with a 90-day deadline in a ‘New’ or ‘Fixed’ state in its issue tracker, and 95 vulnerabilities have been disclosed without a patch being made available to users.
