Case Study 1: Google Project Zero's 90-Day Disclosure Policy and the Zerodium Vulnerability Market

Part I: Google Project Zero and the Disclosure Deadline

The Birth of Project Zero

In July 2014, Google announced the creation of Project Zero, a team of elite security researchers dedicated to finding zero-day vulnerabilities in widely used software — not just Google's own products, but software made by Microsoft, Apple, Adobe, and any other vendor whose products affect the security of Google's users. The team was led by Chris Evans, a veteran security researcher, and included some of the most talented vulnerability researchers in the world.

Project Zero's mission was audacious: to "significantly reduce the number of people harmed by targeted attacks." The team would find vulnerabilities, report them to vendors, and — crucially — enforce a strict 90-day disclosure deadline. If the vendor failed to release a patch within 90 days, Project Zero would publish the vulnerability details and proof-of-concept code, regardless of the vendor's progress or objections.

The 90-day policy was deliberate and provocative. Google had long been frustrated by what it perceived as vendors' sluggish approach to vulnerability remediation. In Google's view, vendors — particularly Microsoft — often sat on vulnerability reports for months or years, leaving users exposed to attacks. A firm deadline would force vendors to prioritize security fixes and would demonstrate that timely patching was technically feasible.

The Microsoft Confrontations

The most public and contentious clashes occurred between Project Zero and Microsoft. In January 2015, Project Zero published details of a Windows 8.1 privilege escalation vulnerability after the 90-day deadline expired, just two days before Microsoft's planned Patch Tuesday release. Microsoft was furious. In a public blog post, Microsoft Senior Director Chris Betz accused Google of prioritizing its own disclosure schedule over user safety:

"What's right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal."

Google stood firm, arguing that the deadline was essential for accountability. Project Zero researcher Ben Hawkes responded that 90 days was more than sufficient for most patches, and that bending the deadline would undermine its purpose.

The incident repeated itself multiple times. In 2017, Project Zero disclosed a Windows vulnerability that Microsoft had been unable to patch within the deadline due to technical complexity in the update mechanism. In 2019, a macOS vulnerability was disclosed after Apple missed the deadline. Each disclosure generated debate about whether the rigid deadline served users' interests or exposed them to risk.

The Policy Evolution

In response to criticism and experience, Project Zero modified its policy in several ways:

2015: Grace Period for Weekends and Holidays. If the 90-day deadline fell on a weekend or U.S. holiday, the deadline was extended to the next business day.

2020: The 90+30 Policy. The most significant change. Vendors still receive 90 days to release a patch, but if they meet the deadline, the full technical details (including proof-of-concept code) are withheld for an additional 30 days to give users time to apply the patch. If the vendor misses the 90-day deadline, full details are published immediately.

Active Exploitation Exception. If a vulnerability is being actively exploited in the wild (a "zero-day in the wild"), the disclosure deadline is shortened to 7 days. The rationale is that if attackers already know about the vulnerability, defenders need the information urgently.

Vendor Collaboration. Project Zero increasingly works collaboratively with vendors during the disclosure period, providing technical assistance, suggesting mitigations, and offering to test patches. This reflects a shift from an adversarial relationship to a more collaborative one.

Data and Impact

Project Zero has published data on its disclosure outcomes. Their analysis shows:

• The vast majority of vulnerabilities (over 95%) are patched within the 90-day window.
• The average time to patch has decreased over the years, suggesting that the deadline is having a positive effect on vendor behavior.
• Vendors that have historically been slow to patch (including Microsoft and Apple) have significantly improved their patch timelines.
• The number of vulnerabilities disclosed after the deadline has decreased, not because Project Zero is finding fewer bugs, but because vendors are fixing them faster.

Part II: Zerodium and the Commercial Vulnerability Market

The Other Side of the Market

While Project Zero represents one end of the vulnerability disclosure spectrum — finding vulnerabilities and pressuring vendors to fix them — Zerodium represents the opposite end: buying vulnerabilities and selling them to parties who want to use them.

Founded in 2015 by Chaouki Bekrar, Zerodium is the successor to VUPEN Security, a French company that sold exploits to government agencies. Bekrar is a controversial figure in the security community — brilliant, unapologetic, and willing to defend the exploit trade publicly.

Zerodium's business model is straightforward: the company purchases zero-day exploits from independent researchers, verifies them, develops them into reliable products, and sells them to government clients. The company claims that its clients are limited to "major government organizations in need of specific and tailored cybersecurity capabilities" and that it does not sell to countries subject to international sanctions.

The Price List

Zerodium publishes a price list for different categories of exploits, and the prices are staggering:

The price differential is significant. For many vulnerability types, Zerodium pays 2-10 times more than the vendor's bug bounty program. This creates an economic incentive for researchers to sell to Zerodium rather than reporting to the vendor.

The Ethical Debate

The existence of companies like Zerodium raises fundamental ethical questions:

Is the exploit trade inherently unethical? Defenders of the trade argue that governments have a legitimate need for offensive cyber capabilities, just as they have a legitimate need for conventional weapons. Exploits are tools of national security, intelligence gathering, and law enforcement. If governments did not buy them from commercial brokers, they would develop them in-house (at greater cost and with less oversight) or acquire them through less legitimate channels.

Critics counter that the exploit trade incentivizes vulnerability hoarding, keeping millions of users at risk. When Zerodium buys an iOS exploit, that exploit is not reported to Apple, and every iPhone user in the world remains vulnerable until the vulnerability is independently discovered and patched. Moreover, the "vetted government client" claim rings hollow in light of cases like NSO Group's Pegasus spyware, which was used by authoritarian governments to surveil journalists, human rights activists, and political dissidents.

Does the price differential undermine the vulnerability ecosystem? When Zerodium pays $2.5 million for an iOS exploit and Apple pays $2 million for the same class of vulnerability, the economic incentive to report to Apple is still strong (given the lower legal risk and reputational benefit). But for other platforms where the differential is 10x or more, the economic case for selling to a broker is overwhelming. This means that the most critical vulnerabilities — the ones that affect the most users and carry the greatest risk — are the ones most likely to be diverted from the disclosure ecosystem.

Can oversight mechanisms work? Zerodium claims to vet its clients and restrict sales to responsible governments. But the company is privately held, operates with minimal transparency, and is not subject to meaningful external oversight. There is no way for the public to verify that Zerodium's clients are using the exploits responsibly, or that the exploits are not being resold or shared with third parties.

Part III: The Intersection — When Markets and Deadlines Collide

The Economic Ecosystem

Project Zero and Zerodium represent two competing forces that shape the vulnerability ecosystem:

Project Zero pushes toward disclosure and patching. By finding vulnerabilities and enforcing deadlines, Project Zero increases the rate at which vulnerabilities are fixed, reducing the window of opportunity for attackers (and for exploit brokers).

Zerodium pushes toward secrecy and retention. By offering high prices for undisclosed vulnerabilities, Zerodium incentivizes researchers to keep vulnerabilities secret, increasing the number of unpatched vulnerabilities in the wild.

The tension between these forces has real consequences for global cybersecurity. Every vulnerability that is reported to a vendor and patched makes the world slightly more secure. Every vulnerability that is sold to a broker and retained makes the world slightly less secure (unless the broker's clients use it only for targeted, proportionate, and lawful purposes — an assumption that the NSO Group/Pegasus scandals have severely undermined).

The Researcher's Dilemma

For individual researchers, the tension between disclosure and sale creates a genuine ethical dilemma. Consider a hypothetical researcher who discovers a critical Android vulnerability:

• Reporting to Google: The researcher might receive $50,000-250,000 through Google's VRP. The vulnerability will be patched, protecting billions of Android users. The researcher gains reputation and recognition in the security community.

• Selling to Zerodium: The researcher might receive $1,000,000-2,500,000. The vulnerability will remain unpatched, potentially for years. The researcher's identity remains confidential. The exploit may be used for lawful intelligence operations — or it may be used to surveil dissidents.

• Publishing on Full Disclosure: The researcher receives no money. The vulnerability becomes immediately known to both attackers and defenders. The vendor is forced to rush a patch. Users are temporarily at greater risk but are informed and can take protective measures.

Each of these choices reflects different ethical priorities, and reasonable people can disagree about which is most defensible.

Discussion Questions

1. Is the 90-day disclosure deadline the right balance between vendor convenience and user safety? Should different types of vulnerabilities have different deadlines?

2. Should governments regulate the commercial exploit market? If so, how could regulation be designed to allow legitimate national security use while preventing human rights abuses?

3. If you discovered a critical iOS vulnerability, what would you do? Report to Apple, sell to Zerodium, or pursue another path? Explain your reasoning using at least two ethical frameworks.

4. Has Project Zero's disclosure policy made the internet more or less secure overall? Consider both the direct effects (more vulnerabilities patched faster) and the indirect effects (potential weaponization of published PoC code).

5. How should the security community respond to the fact that the economic incentives of the vulnerability market systematically favor secrecy over disclosure?

Connection to Course Themes

This case study sits at the intersection of multiple recurring themes. The Ethics of Disclosure is the central theme, with Project Zero and Zerodium representing opposite ends of the disclosure spectrum. The Authorization/Legality theme is present in the safe harbor implications of vulnerability research and the export control issues surrounding exploit sales. The Attack Surface Evolution theme is visible in how the vulnerability market itself has evolved from informal hacking communities to sophisticated commercial operations. And the Attacker vs. Defender Mindset theme permeates the entire discussion: the same vulnerability knowledge that defends systems can be used to attack them, and the choice of how to handle that knowledge defines the ethical character of the researcher.