googlesignGoogle is changing its security disclosure policy after Microsoft criticized it for releasing information about a vulnerability two days before one of the company’s Patch Tuesday releases that fixed the problem in question.

Under the new policy, Google will disclose any security vulnerabilities it finds in other tech products 90 days after notifying the a company of the problem, but will offer a vendor a 14-day grace period if informed that a patch for the issue is scheduled on a specific date during that time. In addition, if the end of the 90-day deadline falls on a weekend or U.S. public holiday, Google will postpone its disclosure until the next business day.

Both of those changes would have been helpful to Microsoft, which patched the vulnerability two days after it was disclosed on a Sunday.

Overall, Google said that its use of deadlines has been productive when it comes to improving security. Out of the 154 total vulnerabilities filed by its Project Zero team, 85 percent of them were fixed within a 90-day deadline. What’s more, 95 percent of the 73 issues filed and fixed after October 1, 2014 were fixed ahead of the deadline.

“Deadlines appear to be working to improve patch times and end user security—especially when enforced consistently,” key players from the company said in a blog post today.

The company also took the opportunity to suggest that other security researchers adopt deadlines in order to encourage speedy patches. Quick patching has become an important issue for major tech companies recently, since disclosures from Edward Snowden revealed intelligence agencies around the world taking advantage of unmatched vulnerabilities in order to conduct surveillance.

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs on GeekWork. Employers, post a job here.