Overview

• Under the Reporting Transparency trial, Project Zero will publish the vendor, affected product, report filing date and 90-day disclosure deadline within seven days of vendor notification.
• This new step supplements the established 90+30 policy by adding an early public alert to motivate faster integration of upstream fixes by downstream teams.
• Google Big Sleep, the joint effort between Google DeepMind and Project Zero, has also opted into the early reporting protocol for its vulnerability findings.
• All technical exploit data and proof-of-concept code will remain under wraps until the end of the 90-day deadline to avoid aiding potential attackers.
• Google will monitor how quickly downstream projects adopt patches and assess the trial’s effects on overall end-user security before determining any permanent policy changes.