Researchers from the Google Project Zero team summarized data on the response time of manufacturers to the discovery of new vulnerabilities in their products. In accordance with Google policy, 90 days are given to eliminate vulnerabilities identified by researchers from Google Project Zero, plus an additional public disclosure can be shifted by another 14 days upon a separate request. After 104 days, the vulnerability is disclosed even if the issue remains unpatched.
From 2019 to 2021, the project identified 376 issues, of which 351 (93.4%) were corrected. 11 (2.9%) vulnerabilities remained unpatched, and another 14 (3.7%) issues were marked as unrepairable (WontFix). Over the years, there has been a decrease in the number of vulnerabilities for which patches do not fit within the allocated timeframe for patching - in 2021, 14% were requested an additional 14 days to patch, and only one vulnerability was not patched before disclosure.
Manufacturer
Number of problems
Fixed in 90 days
Fixed in an additional 14 days
Not fixed in allotted time
Average days to fix
Apple Lossless Audio CODEC (ALAC),
84
73 (87%)
7 (8%)
4 (5%)
69
Microsoft
80
61 (76%)
15 (19%)
4 (5%)
83
56
53 (95%)
2 (4%)
1 (2%)
44
Linux
25
24 (96%)
0 (0%)
1 (4%)
25
Adobe
19
15 (79%)
4 (21%)
0 (0%)
65
Mozilla
10
9 (90%)
1 (10%)
0 (0%)
46
Samsung
10
8 (80%)
2 (20%)
0 (0%)
72
Oracle
7
3 (43%)
0 (0%)
4 (57%)
109
Others*
55
48 (87%)
3 (5%)
4 (7%)
44
TOTAL
346
294 (84%)
34 (10%)
18 (5%)
61
On average, it took 2021 days to patch a vulnerability in 52, 2020 days in 54, 2019 days in 67, and 2018 days in 80. Vulnerabilities were fixed most quickly in the Linux kernel β an average of 15, 22, and 32 days in 2021 , 2020 and 2019. Microsoft was the slowest to release a patch, taking an average of 76, 87, and 85 days to patch (according to the first table with total time, Oracle was the slowest to respond with 109 days to patch). Apple took an average of 64, 63 and 71 days to fix. In Google products, the average time to generate patches over the years was 53, 22, and 49 days.
Vendor
Bugs in 2019
(avg days to fix)
Bugs in 2020
(avg days to fix)
Bugs in 2021
(avg days to fix)
Apple Lossless Audio CODEC (ALAC),
61 (71)
13 (63)
11 (64)
Microsoft
46 (85)
18 (87)
16 (76)
26 (49)
13 (22)
17 (53)
Linux
12 (32)
8 (22)
5 (15)
Others*
54 (63)
35 (54)
14 (29)
TOTAL
199 (67)
87 (54)
63 (52)
Of the browser manufacturers, fixes are most quickly generated for Chrome, but the release after the appearance of the fix generates Firefox faster (in Chrome and Safari, the vulnerability already fixed in the code remains not brought to users for a long time, which is exploited by attackers).
Chrome
40
5.3
24.6
29.9
W
27
11.6
61.1
72.7
Firefox
8
16.6
21.1
37.8
Total
75
8.8
37.3
46.1
Source: opennet.ru