Full Report
The vulnerability hunters at Google Project Zero want to address what they call the "upstream patch gap," when a vendor has a fix available but the downstream product providers haven't integrated it yet.
Analysis Summary
# Vulnerability: Google Project Zero Policy Change Regarding Vulnerability Disclosure Timing
## CVE Details
- CVE ID: Not provided in the context (The article discusses a *policy*, not a single specific vulnerability disclosure).
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: Microsoft Windows, Dolby Unified Decoder, Internal Google Product (BigWave)
- Versions: Not specified for individual CVEs, but the disclosure targets components in the supply chain (upstream/downstream).
- Configurations: N/A
## Vulnerability Description
This article describes a **change in disclosure policy** by Google Project Zero (GPZ), not a single vulnerability. GPZ is shortening the timeline for publicizing the discovery of a vulnerability, regardless of patch status. Previously following a 90+30 day timeline, GPZ will now publicly announce that a vulnerability was reported upstream within one week of private reporting. This is intended to combat the "upstream patch gap"βthe delay between an upstream vendor creating a fix and downstream dependents (like system integrators or hardware vendors) applying that fix to their end products. GPZ will *not* release technical details (PoC) during this initial week-long notice.
## Exploitation
- Status: Disclosure status for specific reported bugs is not detailed, but the policy change aims to reduce exposure related to the "upstream patch gap" once a fix exists upstream.
- Complexity: N/A (Policy Change)
- Attack Vector: N/A (Policy Change)
## Impact
- Confidentiality: N/A (Policy Change)
- Integrity: N/A (Policy Change)
- Availability: N/A (Policy Change)
## Remediation
### Patches
- Specific patches for the six disclosed bugs (2 Windows, 1 Dolby, 3 BigWave) are not detailed, only that reports were filed. Users should monitor vendor advisories for the affected products.
### Workarounds
- No specific workarounds are listed, as the focus is on the disclosure process.
## Detection
- **Indicators of Compromise:** None specified, as technical details are withheld during the initial public notification phase.
- **Detection methods and tools:** Detection depends on downstream dependents integrating vendor fixes quickly once the early public notification signals action is required.
## References
- Vendor advisories: Not listed, only internal GPZ reporting dates.
- Relevant links:
- GPZ Announcement: `googleprojectzero[.]blogspot[.]com/2025/07/reporting-transparency[.]html`