"Vulnerabilities Found by Google Researchers in 2021 Got Patched on Average in 52 Days"
Google Project Zero saw a decrease in the overall time used by vendors to address vulnerabilities reported by the bug hunting team. The team reported 376 vulnerabilities between 2019 and 2021 and saw that most of them (351) were patched. Of the remaining flaws, vendors marked 14 as "WontFix," and 11 of them went unfixed. According to Google Project Zero's policy, vendors have 90 days to address the reported security vulnerabilities. However, they can request a 14-day grace period if a patch will be shipped within that 104-day window. Most of the 376 vulnerabilities were patched within that window, with only 5 percent passing the deadline and grace period. In 2021, vendors needed an average of 52 days to address the reported security flaws, down from 54 days in 2020 and 67 days in 2019. Google Project Zero says the overall time to fix flaws has consistently been decreasing, especially between 2019 and 2020. The team says that only one deadline was exceeded in 2021, a decrease from the 9 deadlines exceeded between 2019 and 2020. The grace period was only used 9 times in 2021. Many of the fixes made during the three-year period came from Apple, Microsoft, Google, Linux, and Adobe. They needed, on average, less than 90 days to address the reported flaws. Google Project Zero reported 76 iOS vulnerabilities and 16 Android bugs between 2019 and 2021. This imbalance stems from how Apple releases security updates. This article continues to discuss findings regarding the patching of vulnerabilities reported by Google researchers.