Google Project Zero Trials Reporting Transparency to Reduce Patch Gaps in 2025

Google Project Zero Announces Reporting Transparency Trial to Tackle Patch Gaps

Mountain View, CA – July 2025 – Google Project Zero, led by Tim Willis, has unveiled a new Reporting Transparency trial policy aimed at reducing the "upstream patch gap"—a critical delay in the vulnerability remediation process. This initiative seeks to accelerate the delivery of security fixes to end-users by improving transparency between upstream vendors and downstream dependents.

Key Details of the Policy Update

Under the existing 90+30 disclosure model, vendors have 90 days to address a vulnerability before public disclosure, with an additional 30-day period for patch adoption if the fix is released early. The new trial introduces an early public notification system:

• Within one week of reporting a vulnerability, Project Zero will publicly disclose:
  • The vendor or open-source project that received the report.
  • The affected product.
  • The report filing date and the 90-day disclosure deadline.

Google Big Sleep, a collaboration between Google DeepMind and Project Zero, will also adopt this policy. Vulnerability reports will be tracked via the Google Big Sleep issue tracker.

Addressing the Upstream Patch Gap

The upstream patch gap refers to the delay between an upstream vendor releasing a fix and downstream dependents integrating it into their products. This gap significantly extends the vulnerability lifecycle, leaving end-users exposed even after a patch is available.

"For the end user, a vulnerability isn’t fixed when a patch is released from Vendor A to Vendor B; it’s only fixed when they download and install the update," Willis explained. "To shorten this chain, we must address the upstream delay."

Goals and Expected Impact

The primary objective of the Reporting Transparency trial is to:

• Increase transparency by providing early signals to downstream dependents about upstream vulnerabilities.
• Encourage stronger communication channels between vendors to expedite patch development and adoption.
• Enable public tracking of the time it takes for fixes to reach end-users, particularly if they never arrive.

Project Zero anticipates that this trial will foster a more proactive security ecosystem, ultimately reducing the window of exposure for critical vulnerabilities.

Security Implications and Industry Response

While the trial may initially draw public attention to unfixed vulnerabilities, Project Zero emphasizes that no technical details, proof-of-concept code, or exploit-enabling information will be released before the disclosure deadline. The policy is designed to serve as an alert mechanism, not a roadmap for attackers.

"We believe the benefits of a fair, simple, and transparent policy outweigh the risk of inconvenience to a small number of vendors," Willis stated. "In 2025, the mere existence of vulnerabilities in software should neither be surprising nor alarming. End-users are more aware of security updates than ever, and it’s widely accepted that complex systems will have vulnerabilities."

Next Steps and Monitoring

As a trial, Project Zero will closely monitor the policy’s effects and adjust as needed. The ultimate goal is to create a safer ecosystem where vulnerabilities are remediated not just in upstream repositories but on the devices, systems, and services used daily by end-users.

Security professionals and vendors are encouraged to provide feedback as the trial progresses. For more details, visit the Project Zero Reporting Transparency page.