Project Zero Reports Faster Bug Patching |
Monday, 28 February 2022 | ||||||||||||||||||||||||||||||||
In 2021 it took an average of only 52 days for bugs reported by Project Zero to be fixed, a significant increase in speed compared to an average time of 80 days three years ago. Linux produced the fastest fixes and Google the slowest. Formed by Google in 2014, Project Zero is a team of security researchers who try to improve the safety and security of the Internet by performing vulnerability research on popular software like mobile operating systems, web browsers, and open source libraries.
In the overview to his recent report on Project Zero metrics which looked at bugs reported between January 2019 and 2021, Ryan Schoen writes:
For nearly ten years, Google’s Project Zero has been working to make it more difficult for bad actors to find and exploit security vulnerabilities, significantly improving the security of the Internet for everyone. In that time, we have partnered with folks across industry to transform the way organizations prioritize and approach fixing security vulnerabilities and updating people’s software.
When Project Zero identifies a vulnerability it is referred to its "vendor" and they are given 90 days in which to fix it and ship a patched version to the public. There is however a 14-day grace period if a vendor confirms they plan to release a fix by the end of the extended 104-day window.
During the 3-year period under scrutiny Project Zero reported 376 issues to vendors. Of these 351 (93.4%) were fixed,14 (3.7%) were marked as WontFix by the vendors and 11 (2.9%) remain unfixed, 3 of which were still within the deadline.
Bug fix time 2019-2021, by bug report volume
*Others in the table include Adobe, Mozilla, Samsung, Oracle, GitHub, Apache, Facebook, Canonical and many more. The table gives the number of bugs per year and shows a trend towards fewer bugs per year, the exception being Google. The longest times to fix bugs was in 2019 with a distinct improvement in 2020, apart from Microsoft. In 2021 the average days to fix was shorter over all vendors, despite longer times than the previous year for Apple and Google. Looking at the number of bugs per vendor, Apple and Microsoft stand out as having the largest number of vulnerabilities - weighted towards the first year - and being the slowest to issue a patch and Linux, which has a relatively low number of vulnerabilities, leads in tems of alacrity.
Noting that vendors are now fixing almost all of the bugs that they receive and that in 2021 only one bug exceeded the 90-day deadline, Schoen comments:
We suspect that this trend may be due to the fact that responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines. We also suspect that vendors have learned best practices from each other, as there has been increasing transparency in the industry.
More InformationA walk through Project Zero metrics Related ArticlesGitHub Security Bug Bounty Milestones Over $21 Million In Google Bug Bounty To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.
Comments
or email your comment to: comments@i-programmer.info |
||||||||||||||||||||||||||||||||
Last Updated ( Monday, 28 February 2022 ) |