Assessing the efficiency of fixing vulnerabilities found by Google Project Zero

Researchers from the Google Project Zero team summarized data on the response time of manufacturers to the discovery of new vulnerabilities in their products. In accordance with Google policy, 90 days are given to eliminate vulnerabilities identified by researchers from Google Project Zero, plus an additional public disclosure can be shifted by another 14 days upon a separate request. After 104 days, the vulnerability is disclosed even if the issue remains unpatched.

From 2019 to 2021, the project identified 376 issues, of which 351 (93.4%) were corrected. 11 (2.9%) vulnerabilities remained unpatched, and another 14 (3.7%) issues were marked as unrepairable (WontFix). Over the years, there has been a decrease in the number of vulnerabilities for which patches do not fit within the allocated timeframe for patching - in 2021, 14% were requested an additional 14 days to patch, and only one vulnerability was not patched before disclosure.

Manufacturer

Number of problems

Fixed in 90 days

Fixed in an additional 14 days

Not fixed in allotted time

Average days to fix

Apple Lossless Audio CODEC (ALAC),

84

73 (87%)

7 (8%)

4 (5%)

69

Microsoft

80

61 (76%)

15 (19%)

4 (5%)

83

Google

56

53 (95%)

2 (4%)

1 (2%)

44

Linux

25

24 (96%)

0 (0%)

1 (4%)

25

Adobe

19

15 (79%)

4 (21%)

0 (0%)

65

Mozilla

10

9 (90%)

1 (10%)

0 (0%)

46

Samsung

10

8 (80%)

2 (20%)

0 (0%)

72

Oracle

7

3 (43%)

0 (0%)

4 (57%)

109

Others*

55

48 (87%)

3 (5%)

4 (7%)

44

TOTAL

346

294 (84%)

34 (10%)

18 (5%)

61

On average, it took 2021 days to patch a vulnerability in 52, 2020 days in 54, 2019 days in 67, and 2018 days in 80. Vulnerabilities were fixed most quickly in the Linux kernel — an average of 15, 22, and 32 days in 2021 , 2020 and 2019. Microsoft was the slowest to release a patch, taking an average of 76, 87, and 85 days to patch (according to the first table with total time, Oracle was the slowest to respond with 109 days to patch). Apple took an average of 64, 63 and 71 days to fix. In Google products, the average time to generate patches over the years was 53, 22, and 49 days.

Vendor

Bugs in 2019

(avg days to fix)

Bugs in 2020

(avg days to fix)

Bugs in 2021

(avg days to fix)

Apple Lossless Audio CODEC (ALAC),

61 (71)

13 (63)

11 (64)

Microsoft

46 (85)

18 (87)

16 (76)

Google

26 (49)

13 (22)

17 (53)

Linux

12 (32)

8 (22)

5 (15)

Others*

54 (63)

35 (54)

14 (29)

TOTAL

199 (67)

87 (54)

63 (52)

Of the browser manufacturers, fixes are most quickly generated for Chrome, but the release after the appearance of the fix generates Firefox faster (in Chrome and Safari, the vulnerability already fixed in the code remains not brought to users for a long time, which is exploited by attackers).

Browser Number of issuesAverage time in days from notification of an issue to publication of a fixAverage time from publication of a patch to release of a productAverage time from notification of a vulnerability to release with a fix

Chrome

40

5.3

24.6

29.9

W

27

11.6

61.1

72.7

Firefox

8

16.6

21.1

37.8

Total

75

8.8

37.3

46.1

Source: opennet.ru