
Project Zero – Policy and Disclosure: 2020 Edition - esnard
https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html
======
tptacek
Nutshell: where before P0 would disclose once a vulnerability was patched, or
at 90 days, now it's simply "disclose at 90 days". If you patch on day 1, you
still get 89 days of embargo (you can, of course, waive the embargo).

The rationale is to eliminate disincentive for rapid patching: previously,
vendors had an incentive to hold their patch until the end of the embargo
period, because patch release terminated that embargo. That's no longer the
case: vendors can now patch right away, and use the remaining embargo days to
evangelize the patch.

In addition, vendors can now patch iteratively, getting a hotfix out without
disrupting the embargo and following up with a comprehensive or systemic patch
later.

