Google’s Project Zero has observed a decrease in the overall time vendors need to address vulnerabilities reported by the bug hunting team.
Between 2019 and 2021, the team reported a total of 376 vulnerabilities and saw most of them (351) get patched. Of the remaining flaws, 14 are marked “WontFix” by the vendor and 11 remain unfixed.
Per Google Project Zero’s policy, vendors have 90 days to address the security errors, but they can also request a 14-day grace period if a patch will be shipped within that 104-day window.
Out of a sample of 346 vulnerabilities reported and patched between 2019 and 2021, the majority were patched within that window, with only 5% exceeding the deadline and grace period.
Last year, vendors needed an average of 52 days to address the reported issues, down from 54 days in 2020 and 67 days in 2019.
“We can see a few things: first of all, the overall time to fix has consistently been decreasing, but most significantly between 2019 and 2020,” Google Project Zero says.
Only one deadline was exceeded last year, a significant decrease from the 9 deadlines exceeded between 2019 and 2020, the team says. The grace period was used 9 times in 2021.
The bulk of fixes during the three-year period came from Apple (84), with Microsoft (80), Google (56), Linux (25), and Adobe (19) rounding up the top five. On average, they needed less than 90 days to resolve the reported issues.
Google’s Project Zero team reported a total of 76 iOS vulnerabilities between 2019 and 2021, and only 16 Android bugs, but the imbalance results from the manner in which Apple ships security updates: since patches for Apple applications are included in iOS updates, Project Zero counts them as platform issues.
The team reported 40 bugs found in Chrome, 27 in WebKit, and 8 in Firefox, and observed that these were fixed, on average, within 46 days.
At the moment, Chrome is the fastest of the three in terms of time to fix, with “an average of 5 days between the bug report and the patch landing in public,” Project Zero says.
Fixes for Firefox are shipped, on average, in 38 days, while those for WebKit receive patches the slowest, at an average of 73 days.
“Vendors are fixing almost all of the bugs that they receive, and they generally do it within the 90-day deadline plus the 14-day grace period when needed. Over the past three years vendors have, for the most part, accelerated their patch effectively reducing the overall average time to fix to about 52 days,” the team says.
However, Project Zero also points out that vendors might be rushing to release patches to avoid the risk of public disclosure when the deadline is reached, and encourages vendors to release metrics to paint a better picture of how quickly vulnerabilities are being addressed across the industry.