Software vendors are getting quicker at fixing vulnerabilities in their products, releasing updates on average 52 days after they are responsibly disclosed by Google’s Project Zero.
In an update on its security research program, the tech giant said that the new figure is a “significant acceleration” from the average of 80 days it took developers to fix bugs three years ago.
Under the terms of Project Zero, a vendor has 90 days to fix a vulnerability reported by Google researchers and ship a patch to customers. However, an additional 14-day grace period is possible.
“Between 2019 and 2021, Project Zero reported 376 issues to vendors under our standard 90-day deadline. Some 351 (93.4%) of these bugs have been fixed, while 14 (3.7%) have been marked as WontFix by the vendors,” Google explained.
“Eleven (2.9%) other bugs remain unfixed, though at the time of this writing eight have passed their deadline to be fixed; the remaining three are still within their deadline to be fixed. Most of the vulnerabilities are clustered around a few vendors, with 96 bugs (26%) being reported to Microsoft, 85 (23%) to Apple, and 60 (16%) to Google.”
In 2021, a vendor exceeded the 90-day deadline only once, which Google put down to more pervasive best practices for security updates across the industry. However, there are also reasons to believe these practices may not necessarily be the same for vulnerabilities disclosed by sources outside Project Zero.
“One important caveat: we are aware that reports from Project Zero may be outliers compared to other bug reports, in that they may receive faster action as there is a tangible risk of public disclosure (as the team will disclose if deadline conditions are not met) and Project Zero is a trusted source of reliable bug reports,” Google admitted.