Google security team Project Zero recently shared statistics from security research from the past few years. Between January 2019 and December 2021, the team reported a total of 376 vulnerabilities for a period of 90 days.
Of these, 351 (93.4%) were fixed, 14 (3.7%) were marked as “WontFix” by the vendor, and 11 (2.9%) remained unfixed. However, in the last category, 3 are still within the 90-day period.
Of all discovered vulnerabilities, 96 (26%) were detected in Microsoft products, 85 (23%) were detected by Apple , and 60 (16%) were detected by Google itself. The specific data are as follows:
As can be seen from the above, there are positive changes in the situation of the suppliers. Interestingly, however, in 2021, the grace period has been requested 9 times, half of them by Microsoft.
On the mobile side, 76 bugs were reported for iOS, 10 for Samsung products, and 6 for Pixels. The average repair time for iOS was 70 days, compared to 72 days for the other two brands.
If you’re wondering why so many security flaws are detected on iOS, it’s because Apple includes a ton of apps as part of the OS, while Android’s app updates are primarily managed through Google Play, so not at the OS level Defects.
In terms of browsers, Chrome has 40 BUGs, Apple’s WebKit has 27 BUGs, and Firefox has 8 BUGs. WebKit was the slowest to patch defects at 72 days, Chrome at 30 days, and Firefox at 38 days.
Google Project Zero states:
Overall, we see some promising trends emerging in the data. Vendors are fixing nearly every bug they receive, and they typically do so within a 90-day deadline, with a 14-day grace period if necessary. Over the past three years, vendors have accelerated their patches in most cases, effectively reducing the overall mean time to fix to about 52 days.
In 2021, only one 90-day period has been exceeded. We suspect this trend may be due to the fact that responsible disclosure policies have become the de facto standard in the industry, and suppliers are better equipped to respond quickly to reports with different deadlines. We also suspect that suppliers have learned best practices from each other as the industry becomes more transparent.
An important note: we know that reports from Project Zero may be outliers compared to other bug reports, as they may get quicker action due to the real risk of public disclosure (as if deadline conditions are met) If not met, the team will disclose), and Project Zero is a trusted source for reliable bug reports.
We encourage vendors to publish metrics, even high-level metrics, to better understand the speed at which security issues are being fixed across the industry, and continue to encourage other security researchers to share their experiences.