Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Vulnerabilities Found by Google Researchers in 2021 Got Patched on Average in 52 Days

Google’s Project Zero has observed a decrease in the overall time vendors need to address vulnerabilities reported by the bug hunting team.

Between 2019 and 2021, the team reported a total of 376 vulnerabilities and saw most of them (351) get patched. Of the remaining flaws, 14 are marked “WontFix” by the vendor and 11 remain unfixed.

Google’s Project Zero has observed a decrease in the overall time vendors need to address vulnerabilities reported by the bug hunting team.

Between 2019 and 2021, the team reported a total of 376 vulnerabilities and saw most of them (351) get patched. Of the remaining flaws, 14 are marked “WontFix” by the vendor and 11 remain unfixed.

Per Google Project Zero’s policy, vendors have 90 days to address the security errors, but they can also request a 14-day grace period if a patch will be shipped within that 104-day window.

Out of a sample of 346 vulnerabilities reported and patched between 2019 and 2021, the majority were patched within that window, with only 5% exceeding the deadline and grace period.

Last year, vendors needed an average of 52 days to address the reported issues, down from 54 days in 2020 and 67 days in 2019.

“We can see a few things: first of all, the overall time to fix has consistently been decreasing, but most significantly between 2019 and 2020,” Google Project Zero says.

Only one deadline was exceeded last year, a significant decrease from the 9 deadlines exceeded between 2019 and 2020, the team says. The grace period was used 9 times in 2021.

The bulk of fixes during the three-year period came from Apple (84), with Microsoft (80), Google (56), Linux (25), and Adobe (19) rounding up the top five. On average, they needed less than 90 days to resolve the reported issues.

Google’s Project Zero team reported a total of 76 iOS vulnerabilities between 2019 and 2021, and only 16 Android bugs, but the imbalance results from the manner in which Apple ships security updates: since patches for Apple applications are included in iOS updates, Project Zero counts them as platform issues.

[READ: Google Project Zero Announces 2021 Updates to Vulnerability Disclosure Policy]

The team reported 40 bugs found in Chrome, 27 in WebKit, and 8 in Firefox, and observed that these were fixed, on average, within 46 days.

At the moment, Chrome is the fastest of the three in terms of time to fix, with “an average of 5 days between the bug report and the patch landing in public,” Project Zero says.

Fixes for Firefox are shipped, on average, in 38 days, while those for WebKit receive patches the slowest, at an average of 73 days.

“Vendors are fixing almost all of the bugs that they receive, and they generally do it within the 90-day deadline plus the 14-day grace period when needed. Over the past three years vendors have, for the most part, accelerated their patch effectively reducing the overall average time to fix to about 52 days,” the team says.

However, Project Zero also points out that vendors might be rushing to release patches to avoid the risk of public disclosure when the deadline is reached, and encourages vendors to release metrics to paint a better picture of how quickly vulnerabilities are being addressed across the industry.

Related: Project Zero: Zoom Platform Missed ASLR Exploit Mitigation

Related: Project Zero Flags High-Risk Zoom Security Flaw

Related: Google Discloses Details of Unpatched Windows AppContainer Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.