Project Zero is Google's security team tasked with finding security flaws in the company's own products as well as those built by other vendors. After finding such an issue, it privately reports them to vendors, providing them 90 days to fix the flaw before it is made public. Depending upon the complexity of the fix, some grace period may also be allotted. We have extensively covered the team's findings on Neowin in the past. Today, Google has shared some statistics regarding its research within the past couple of years.
Between January 2019 and December 2021, Project Zero reported 376 issues with a 90-day deadline. 351 (93.4%) of these have been fixed, 14 (3.7%) have been tagged as "WontFix" by vendors, and 11 (2.9%) are still open. However, out of the final category, three are still within the 90-day deadline.
Interestingly, 96 (26%) detected bugs were present in Microsoft products, 85 (23%) in Apple, and 60 (16%) in Google. Oracle exceeded the most deadlines, while Microsoft was at second. In terms of the time it takes for major vendors to fix by year, you can check out the breakdown by year below:
|Vendor||Avg days to fix bugs in 2019||Avg days to fix bugs in 2020||Average days to fix bugs in 2021|
As can be seen above, there are positive changes for vendors across the board. However, it is interesting to see that in 2021, the grace period was requested nine times, with half of it being requested by Microsoft.
On mobile, 76 bugs were reported for iOS, 10 for Samsung products, and 6 for Pixels. The average fix time for iOS was 70 days whereas it was 72 for the other two. If you're wondering why such a high number of security flaws were detected on iOS, this is because Apple ships a lot of apps as part of the OS whereas Android app updates are primarily managed through Google Play so don't fall under OS-level flaws.
On the browser side of things, 40 bugs were reported for Chrome, 27 for Apple's WebKit, and 8 for Firefox. WebKit was the slowest to patch flaws coming in at 72 days, with Chrome at 30 days, and Firefox at 38.
Google Project Zero has noted that:
Overall, we see a number of promising trends emerging from the data. Vendors are fixing almost all of the bugs that they receive, and they generally do it within the 90-day deadline plus the 14-day grace period when needed. Over the past three years vendors have, for the most part, accelerated their patch effectively reducing the overall average time to fix to about 52 days. In 2021, there was only one 90-day deadline exceeded. We suspect that this trend may be due to the fact that responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines. We also suspect that vendors have learned best practices from each other, as there has been increasing transparency in the industry.
One important caveat: we are aware that reports from Project Zero may be outliers compared to other bug reports, in that they may receive faster action as there is a tangible risk of public disclosure (as the team will disclose if deadline conditions are not met) and Project Zero is a trusted source of reliable bug reports. We encourage vendors to release metrics, even if they are high level, to give a better overall picture of how quickly security issues are being fixed across the industry, and continue to encourage other security researchers to share their experiences.
The Project Zero team has noted that Microsoft takes a long time to fix bugs because it usually relies on its Patch Tuesday update cadence. However, it hopes that Microsoft can determine a better and more streamlined way to push out security updates faster. The Project Zero security team has the same hopes and recommendations for Android security patching too. You can find out more interesting details here.
6 Comments - Add comment