Project Zero researchers see promising trends in vulnerability fixes
Big tech vendors generally are remediating serious bugs faster than they were three years ago, according to a new report from Google’s Project Zero.
The data — while limited to vulnerabilities the group itself reported between January 2019 and December 2021, and influenced by what the group’s researchers have chosen to pursue — offers “a number of promising trends,” according to Ryan Schoen of Project Zero.
“Vendors are fixing almost all of the bugs that they receive, and they generally do it within the 90-day deadline plus the 14-day grace period when needed,” he wrote. In 2021 there was not “a single 90 day deadline exceeded,” which could be because responsible disclosure policies are becoming more standard across the industry, “and vendors are more equipped to react rapidly to reports with differing deadlines,” he wrote.
Under the team’s vulnerability disclosure policy, it privately tells a vendor about a bug first, with the warning that it will publish the information after 90 days if the vendor takes no action. Vendors can get a 14-day extension beyond those 90 days if a patch is already on its way.
Project Zero reported 376 issues to vendors in the roughly three-year time frame, and 350 — 93.1 percent — have been fixed, the data show. The bulk of the reports are for products from three main vendors: Microsoft (26 percent), Apple (23 percent) and Google (16 percent).
The overall time it’s taken for vendors to fix bugs and release fixed versions to the public has “consistently been decreasing” over the time frame, Schoen noted. Microsoft, Apple and developers for Linux have all reduced their time to fix, while a host of other major vendors — such as Adobe, Aapache, Facebook, Github, Oracle and others — have “collectively cut their time to fix in half,” he wrote, but that could be a reflection of less Project Zero research on those vendors as well.
In a more apples-to-apples comparison, the team looked at its work on mobile phone operating system bugs, focusing on iOS, Android (Samsung) and Android (Pixel). All three vendors have an “extraordinarily similar average time to fix,” Schoen wrote, ranging from 69 days to 72 days.
Shoen added that a caveat with the group’s data is that Project Zero bug reports “may be outliers” in that vendors know the bugs will be reported within a defined timeline, and also because “Project Zero is a trusted source of reliable bug reports.”
Formed in 2014, the group includes widely recognized security researchers, and earned plaudits as it works with vendors to help secure their products and the wider internet. Project Zero also has ruffled feathers of both vendors and Western government hackers upset that the group’s work has burned counterterrorism operations.