Project Zero Reports Faster Bug Patching
Monday, 28 February 2022

In 2021 it took an average of only 52 days for bugs reported by Project Zero to be fixed, a significant increase in speed compared to an average time of 80 days three years ago. Linux produced the fastest fixes and Google the slowest.

Formed by Google in 2014, Project Zero is a team of security researchers who try to improve the safety and security of the Internet by performing vulnerability research on popular software like mobile operating systems, web browsers, and open source libraries. 
pzerologo
In the overview to his recent report on Project Zero metrics which looked at bugs reported between January 2019 and 2021, Ryan Schoen writes:
For nearly ten years, Google’s Project Zero has been working to make it more difficult for bad actors to find and exploit security vulnerabilities, significantly improving the security of the Internet for everyone. In that time, we have partnered with folks across industry to transform the way organizations prioritize and approach fixing security vulnerabilities and updating people’s software. 
 
When Project Zero identifies a vulnerability it is referred to its "vendor" and they are given 90 days in which to fix it and ship a patched version to the public. There is however a 14-day grace period if a vendor confirms they plan to release a fix by the end of the extended 104-day window.
During the 3-year period under scrutiny Project Zero reported 376 issues to vendors. Of these 351 (93.4%) were fixed,14 (3.7%) were marked as WontFix by the vendors and 11 (2.9%)  remain unfixed, 3 of which were still within the deadline. 

Bug fix time 2019-2021, by bug report volume

 

2019

2020

2021

Vendor

Number of bugs (average days to fix)

Apple

61 (71)

13 (63)

11 (64)

Microsoft 

46 (85)

18 (87)

16 (76)

Google

26 (49)

13 (22)

17 (53)

Linux

12 (32)

8 (22)

5 (15)

Others*

54 (63)

35 (54)

14 (29)

TOTAL

199 (67)

87 (54)

63 (52)

*Others in the table include Adobe, Mozilla, Samsung, Oracle, GitHub, Apache, Facebook, Canonical and many more.

The table gives the number of bugs per year and shows a trend towards fewer bugs per year, the exception being Google. The longest times to fix bugs was in 2019 with a distinct improvement in 2020, apart from Microsoft. In 2021 the average days to fix was shorter over all vendors, despite longer times than the previous year for Apple and Google.  

Looking at the number of bugs per vendor, Apple and Microsoft stand out as having the largest number of vulnerabilities - weighted towards the first year -  and being the slowest to issue a patch and Linux, which has a relatively low number of vulnerabilities, leads in tems of alacrity. 
 
Noting that vendors are now fixing almost all of the bugs that they receive  and that in 2021 only one bug exceeded the 90-day deadline, Schoen comments:
We suspect that this trend may be due to the fact that responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines. We also suspect that vendors have learned best practices from each other, as there has been increasing transparency in the industry.
 

expressvpnbug

More Information

A walk through Project Zero metrics

Related Articles

GitHub Security Bug Bounty Milestones

Mozilla Increases Bug Bounty

Who Are The Hackers and Why 

Over $21 Million In Google Bug Bounty

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Banner


Remembering Thomas Kurtz, Co-creator of BASIC
15/11/2024

Thomas Eugene Kurtz, the co-founder of the BASIC programming language, has died at the age of 96. BASIC, which was developed for the purpose of education, popularized computer programming making it ac [ ... ]



JavaZone - The Conference We Missed
25/10/2024

Amongst the many Java related conferences, this one flew under the radar. A real shame because it had many great sessions.
JavaZone might not be that famous internationally, but it still is the bi [ ... ]


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Monday, 28 February 2022 )