In 2021, security vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero.
To put it in context, this is a significant acceleration from an average of about 80 days 3 years ago. However, one needs to bear in mind that the quantum of attacks have more than tripled in the last 3 years, which in effect cancels the gains made by this reduction in response time.
Google’s Project Zero is an effort to make it more difficult for bad actors to find and exploit security vulnerabilities, significantly improving the security of the Internet. This effort has been going on for about a decade.
In addition to the average now being well below the 90-day deadline, we have also seen a dropoff in vendors missing the deadline (or the additional 14-day grace period). In 2021, only one bug exceeded its fix deadline, though 14 per cent of bugs required the grace period, Google said in its blog post.
Differences in the amount of time it takes a vendor or a product to ship a fix to users reflects their product design, development practices, update cadence, and general processes towards security reports. We hope that this comparison can showcase best practices, and encourage vendors to experiment with new policies, Google noted.
This data aggregation and analysis is relatively new for Project Zero, but we hope to do it more in the future. We encourage all vendors to consider publishing aggregate data on their time-to-fix and time-to-patch for externally reported vulnerabilities, as well as more data sharing and transparency in general, Google said.
To help contextualise the shifts, Google looked back at the set of vulnerabilities Project Zero has been reporting, how a range of vendors have been responding to them and then attempted to identify trends in this data, such as how the industry as a whole is patching vulnerabilities faster.
For this post, it looked at fixed bugs that were reported between January 2019 and December 2021 (2019 is the year Google made changes to our disclosure policies and also began recording more detailed metrics on our reported bugs). The data we’ll be referencing is publicly available on the Project Zero Bug Tracker, and on various open source project repositories (in the case of the data used below to track the timeline of open-source browser bugs), stated Google.
Between 2019 and 2021, Project Zero reported 376 issues to vendors under our standard 90-day deadline. 351 (93.4%) of these bugs have been fixed, while 14 (3.7%) have been marked as WontFix by the vendors. Also, 11 (2.9%) other bugs remain unfixed, though at the time of this writing 8 have passed their deadline to be fixed; the remaining 3 are still within their deadline to be fixed. Most of the vulnerabilities are clustered around a few vendors, with 96 bugs (26%) being reported to Microsoft, 85 (23%) to Apple, and 60 (16%) to Google.
There are a number of caveats with Google’s data, the largest being that it’ll be looking at a small number of samples, so differences in numbers may or may not be statistically significant. Also, the direction of Project Zero’s research is almost entirely influenced by the choices of individual researchers, so changes in research targets could shift metrics as much as changes in vendor behaviors could. As much as possible, this post is designed to be an objective presentation of the data, with additional subjective analysis, Google noted.