Google’s Project Zero team has announced a new policy, effective July 29, 2025, to increase transparency around software vulnerabilities. Under this trial policy, Project Zero will publicly report the discovery of a new vulnerability within one week of notifying the affected vendor or project. This means that soon after reporting an issue to a software maker or open-source project, Google will share:
- The name of the vendor or project receiving the report.
- The affected product.
- The date the report was filed.
- The date the 90-day public disclosure deadline will expire.
Importantly, this new “Reporting Transparency” step does not disclose technical details that could help attackers—that information remains withheld until the regular disclosure deadline or when the fix is released, following Project Zero’s longstanding “90+30” policy. That policy gives vendors 90 days to fix a bug (with a possible 14-day grace period), and an additional 30 days after a patch to facilitate user adoption before public disclosure of full details.
The main goal is to address the “upstream patch gap”—the time between a vendor learning about a vulnerability and downstream partners (like device manufacturers or software distributors) being alerted so they can prepare their own updates. By making the existence of new vulnerabilities public more quickly, downstream vendors have better information to react and coordinate security responses for their users.
According to Google, the trial is designed to encourage faster patch adoption and shorter “patch gaps”, improve coordination between software vendors and downstream dependents, and increase overall transparency in the vulnerability remediation process.
Technical details of vulnerabilities will still only be released after a fix is issued—or if the vendor fails to address the issue before the deadline expires—following Google’s standard public disclosure practices
