There are more reforms. If there’s an incomplete fix, it’ll be reported to the developer and added to an existing report. Before, it would sometimes be treated as a separate problem with its own deadline. Google will also open tracker reports the moment a flaw is patched during the “grace period” (a 14-day window available if a developer will just miss the 90-day target) and on the 90th day.

Google plans to test the revamped Project Zero approach throughout the whole of 2020, and might make it permanent if there aren’t problems.

This should increase the chances that you’ll be well-protected against exploits before they’re made public. At the same time, it doesn’t address concerns that Google’s come-hell-or-high-water approach to disclosures has sometimes led to disclosures while patches were in the works, either forcing a hasty release or leaving users exposed. You could still see instances where you have no choice but to live with an elevated risk.

Security researcher Tavis Ormandy, of Google’s Project Zero, notified LastPass of the bug. The flaw could have allowed hackers on malicious sites to access users’ credentials entered on the previous site. Fortunately, there’s no reason to believe the bug was exploited, and while it only impacted Chrome and Opera browsers, LastPass patched all browser extensions.

This isn’t the first time LastPass has fixed a security flaw. A couple years ago, it found a vulnerability in its fingerprint verification. Before that, LastPass fixed security problems on Chrome and Firefox.

This doesn’t mean that password managers are unreliable, just that they’re not foolproof. Password managers are still a good idea, but they aren’t a perfect security measure on their own. They should be used in conjunction with multi-factor authentication, and you need to keep them updated.