Google: Vendors took an average of 52 days to fix reported security flaws
Google’s Project Zero published a report covering its work in 2021. It found that vendors take an average of 52 days to fix reported security vulnerabilities.
Between 2019 and 2021, Project Zero researchers reported 376 numbers to suppliers within their 90-day period.
Of those 376 issues, more than 93% of those bugs have been fixed and more than 3% have been marked as “WontFix” by vendors, according to Project Zero.
The researchers added that 11 other bugs remain unfixed and 8 have passed their deadline to be fixed. Microsoft, Apple and Google account for 65% of discovered bugs. Microsoft led the way with 96 bugs, followed by 85 from Apple and 60 from Google.
“Overall, the data shows that almost all the major vendors here arrive in less than 90 days, on average. The bulk of patches during a grace period come from Apple and Microsoft (22 out of 34 total) Vendors missed a deadline and a grace period about 5% of the time during this period,” the Project Zero researchers said.
“In this bracket, Oracle exceeded the highest rate, but admittedly with a relatively small sample size of only about 7 bugs. The next highest rate is Microsoft, which exceeded 4 of its 80 deadlines. [The] the average days to fix bugs across all vendors is 61 days.”
Google also provided other stats showing that overall repair time has been steadily decreasing, especially for vendors like Microsoft, Apple, and Linux. All three reduced their repair time between 2019 and 2020 while Google accelerated in 2020 and slowed again in 2021.
In 2021, they noted that a single 90-day period was exceeded, a marked decrease from the average of 9 per year in the other two years. The researchers added that the grace period was used 9 times – half of them by Microsoft – compared to the slightly lower average of 12.5 in other years.
When it comes to mobile vulnerabilities, iOS devices had 76 bugs in total, followed by 10 for Samsung Android devices and 6 for Pixel Androids.
For browsers, Chrome had 40 bugs and an average fix time of 5.3 days. WebKit had 27 bugs and an average fix time of 11.6 days while Firefox had 8 bugs and an average fix time of 16.6 days.
“Chrome is currently the fastest of the three browsers, with a 30-day delay between bug report and release of a fix in the Stable channel. Firefox comes in second in this analysis, but with a relatively low number of data points to analyze a fix on average in 38 days,” the researchers said.
“WebKit is the outlier in this analysis, with the longest days to release a patch at 73 days. Their time to release the patch publicly is in the middle between Chrome and Firefox, but unfortunately that leaves a very long time to time for opportunistic attackers to find the patch and exploit it before the patch is made available to users.”
Project Zero said the results were a positive development, showing that many vendors are fixing most of the bugs they find. Vendors are also acting faster to fix issues, with Google attributing this to responsible disclosure policies that have become industry standard.
Google has urged all vendors to focus on a “more frequent patch cadence for security issues.”
“We encourage all vendors to consider publishing aggregate data on their time to fix and time to fix for externally reported vulnerabilities. Through more transparency, information sharing and collaboration across the industry , we believe we can learn from each other’s best practices, better understand the challenges that exist, and hopefully make the internet a safer place for everyone,” Project Zero said.