The earlier policy was to inform a company about a vulnerability, wait for 90 days, and then release details. Now, any third-party will have an additional month to issue patches and take any other remedial action.
However, Tim Willis, the lead of Project Zero, said in a blog post that details of vulnerabilities would be made public as soon a bug was patched, rather than waiting for the full 30 days to elapse.
The details of the new policy, which are a trial, are listed in the screenshot below.
And there have been times when Google's own researchers have disagreed with each other in public over bug disclosures by other researchers, with one such spat being over two zero-day vulnerabilities in the Mac version of Zoom.
Willis wrote: "The goal of our 2021 policy update is to make the patch adoption timeline an explicit part of our vulnerability disclosure policy.
"Vendors will now have 90 days for patch development, and an additional 30 days for patch adoption.
"This 90+30 policy gives vendors more time than our current policy, as jumping straight to a 60+30 policy (or similar) would likely be too abrupt and disruptive.
"Our preference is to choose a starting point that can be consistently met by most vendors, and then gradually lower both patch development and patch adoption timelines."
He hinted at further changes in the coming year. "For example, based on our current data tracking vulnerability patch times, it's likely that we can move to a '84+28' model for 2022 (having deadlines evenly divisible by seven significantly reduces the chance our deadlines fall on a weekend).
"Beyond that, we will keep a close eye on the data and continue to encourage innovation and investment in bug triage, patch development, testing, and update infrastructure."