Overview
- Starting late July, Project Zero has begun issuing weekly public notices of newly reported vulnerabilities under the Reporting Transparency trial.
- Each alert includes nontechnical metadata—vendor or open-source project, affected product, report date and 90-day disclosure deadline—without disclosing technical details or proof-of-concept code.
- The policy maintains the original 90-day bug-fix deadline plus a 30-day adoption window if vendors release patches before the deadline.
- Google Big Sleep, the Google DeepMind–Project Zero collaboration, is also applying the early notice policy to its vulnerability reports.
- Project Zero will track how weekly disclosures influence downstream integration and end-user patch adoption to inform potential policy adjustments.