The time it takes to fix a bug is getting shorter year by year, where is the quickest fix?
On February 10, 2022, Google's vulnerability discovery team 'Project Zero' released a report on the bugs discovered between 2019 and 2021 and the actual state of their fixes. As a result, we found that the period from the discovery of the vulnerability to the release of the patch was greatly shortened, and that there was a difference in the time it took to fix the bug among the major IT companies.
Project Zero: A walk through Project Zero metrics
Below is a table summarizing the bugs discovered by Project Zero between 2019 and 2021 and their fix periods, and the items in the title line are 'Vendor', 'Total number of bugs', and 'Fixed within 90 days' from the left. 'Things that have passed 90 days but have been corrected within the grace period of 14 days' 'Things that have exceeded the deadline or are within the grace period at the time of report creation' 'Average number of days until correction'. Of the major vendors, except for others, Linux took the shortest time to fix, with an average fix time of 25 days. Also, the average number of days it took for all vendors to fix a bug was 61 days.
The number of bugs and the number of days it takes to fix them are decreasing year by year. Below is a table showing the number of bugs from the top four vendors with the highest number of bugs and the number of bugs from other vendors by year, and the numbers in parentheses in each cell are the average number of days to fix. In 2019, 199 bugs were discovered, while in 2021, 63 bugs were discovered. Also, the number of days it takes to fix a bug has been reduced from an average of 67 days to 52 days. According to Project Zero, there were an average of nine bugs that passed the deadline in 2019 and 2020, but only one in 2021.
Among the bugs found on various platforms, the ones focused on mobile OS are as follows. Comparing iOS and Android, the number of days between the discovery of a bug and its fix was about the same. On the other hand, the number of discoveries was 76 for iOS, while there was a difference of 16 for Android, including the Pixel series of Samsung smartphones and Google smartphones. Project Zero said, 'It's not due to research imbalances, it's a reflection of how Apple releases software. On iOS, security updates for individual apps like iMessage, Facetime, and Safari are also OS updates. Since it's released as a part, it's counted as a bug in iOS, while Android apps aren't counted because they're fixed through the Google Play Store. '
Also, if you compare the bugs in the browser, not the OS, by the number of days until the bug is fixed, you can see which browsers take less days to fix the bug. Below is a graph showing the number of bugs on the vertical axis and the number of days required to fix it on the horizontal axis, with Mozilla Firefox in yellow, the rendering engine Webkit used in Safari in red, and Google Chrome in blue. increase.
Of the most popular browsers, Chrome has the shortest time to fix a bug, with an average of 30 days from receiving a bug report until the stable version is fixed, and the time it takes for a patch to be released. It's been 5 days. On the other hand, it took an average of 38 days for Firefox to release a fix, and an average of 73 days for WebKit. Project Zero says, 'We are a team within Google's company, but we are pointing out bugs in Chrome according to the same procedures and policies as external security researchers.'
On top of that, Project Zero commented on the overall trend: 'In the last three years, most vendors have accelerated the release of fix patches, reducing the time required for fixes to about 52 days. Only in 2021. For example, there is only one bug that is overdue. This trend reflects that responsible disclosure policies have become the de facto standard in the industry and vendors are ready to respond quickly to bug reports with different deadlines. I also speculate that the industry is becoming more transparent because vendors are learning best practices from each other. '