research from Google’s security research team, Project Zero, shows that Linux developers are more effective at fixing security vulnerabilities more quickly than anyone else (including Google).
From 2019 to 2021, Project Zero reported a total of 376 issues to vendors within the standard 90-day period.]351 (93.4%) of these bugs have been fixed, 14 (3.7%) have been flagged by the vendor as WontFix, and 11 (2.9%) remain unfixed. At the time of the bulletin, 8 had sometimes passed their fix deadlines; the remaining 3 were still within their fix deadlines. Most vulnerabilities are concentrated in a small number of vendors, with 96 (26 percent) reported to Microsoft, 85 (23 percent) to Apple, and 60 (16 percent) to Google.
Project Zero provides vendors with a standard 90-day deadline and a 14-day grace period to address security issues. The study found that open source programmers fixed Linux issues in an average of 25 days. Meanwhile, it took Apple 69 days, Google 44 days and Mozilla 46 days to fix the vulnerabilities. At the bottom of the list were Microsoft in 83 days, and Oracle in 109 days (although there were only a few security issues). Other open source organizations and companies, including mainly Apache, Canonical, Github and Kubernetes, came in at the top with 44 days.
Overall, overall fix times have been decreasing, but most notably between 2019 and 2020. During this period, Microsoft, Apple and Linux have reduced their fix times overall, with Linux moving from 32 days in 2019 to just 15 days in 2021, while Google speeds up in 2020 and then slows down again in 2021. And Google speeds up in 2020, then slows down again in 2021. in 2021, vendors take an average of 52 days to fix reported security vulnerabilities.
In addition to finding that the 2021 average was well below the 90-day deadline, the team also found that the number of vendors missing the deadline or the additional 14-day grace period also declined. Only one Google Android security issue exceeded the fix deadline last year, compared to an average of nine per year in the other two years; the grace period was used a total of nine times (Microsoft in particular used half of them), slightly lower than the average of 12.5 times in other years.
For mobile operating systems, Apple iOS (70 days on average) released patches faster than Google Android (72 days on average). But on the other hand, iOS contains 72 bugs, far more than Android’s 10 issues.
Browser problems are also being fixed at a faster rate. Chrome averages 40 problems in less than 30 days, and Mozilla Firefox has only eight security vulnerabilities that take an average of 37.8 days to fix. Webkit is Apple’s Web browser engine, used primarily by Safari; Webkit programmers take more than 72 days on average to fix bugs.
The study notes that everyone is doing a better job of fixing vulnerabilities compared to the past few years. This may be because responsible disclosure policies have become the industry’s de facto standard, with vendors more capable of responding quickly to reports of varying duration. And with increased transparency, companies have been learning best practices from each other. zDNet think, much of this can be attributed to the evolution of open source development methods, where people realize that fixing bugs together is good for everyone.