[German]There is always a discussion about how quickly or how slowly vulnerabilities are patched by developers. Google's Project Zero has therefore taken a look at how quickly security vulnerabilities are closed in Linux or in products from Microsoft (Windows) and Apple (macOS). It is about vulnerabilities reported by Project Zero to the manufacturers/developers between 2019 and 2021. The result: Linux developers are patching by far the fastest.
The team's evaluation in question can be found in this publication, where the first thing it states is that the patching speed of vulnerabilities has accelerated greatly over the last three years. In 2021, it took vendors an average of 52 days to patch vulnerabilities reported under Project Zero. This is a significant acceleration from an average of 80 days three years ago.
Developers were also able to meet the 90-day disclosure deadline granted by Google Project Zero (plus a 14-day extension granted upon request) in all but one case in 2021. Only 14% of reported vulnerabilities required a 14-day extension before a security update was made available.
Between 2019 and 2021, Project Zero reported 376 issues to vendors and granted a dead-line of 90 days until a 0-day vulnerability was disclosed. Interesting results:
- 351 (93.4%) of these bugs were fixed, while 14 (3.7%) were marked as "not fixed" by vendors.
- 11 (2.9%) other bugs have not yet been fixed, with 8 bugs having passed the deadline for their fixes at the time of writing; the remaining 3 bugs are still within the deadline for their fixes.
Most vulnerabilities are concentrated among a few vendors:
- 96 bugs (26 %) wer reported to Microsoft,
- 85 (23 %) to Apple, and
- 60 (16 %) to Google
The speed at which reported vulnerabilities were patched between 2019 and 2021 is interesting:
- Linux: 15 days
- Google: 44 days
- Mozilla; 46 days
- Apple: 69 days
- Microsoft: 83 days
- Oracle: 109 days
Here's the relevant table from the Google Project Zero release.
Looking only at 2021, the project has published the following numbers:
- Linux: 5 bugs, fix in 15 days
- Google: 17 bugs, fix in 53 days
- Apple: 11 bugs, fix in 64 days
- Microsoft: 16 bugs, fix in 76 days
So again, a picture that Linux is way ahead in terms of time to fix vulnerabilities. In the Google Project Zero article, you can find more figures on fixing vulnerabilities in browsers or in mobile device operating systems.
Cookies helps to fund this blog: Cookie settings