Researchers credit greater transparency and responsible disclosure policies for improvements in the patching process

Security vulnerabilities reported by Project Zero in 2021 were patched 28 days faster on average than in 2019, Google’s zero-day security research team has revealed.

Hardware and software vendors took an average of 52 days to fix security flaws last year, well below the 90-day deadline and down from the mean time average of 80 days two years prior.

Only one bug exceeded its fix deadline, although 14% required the additional 14-day grace period before a working fix was released.

‘Increasing transparency’

“We suspect that this trend may be due to the fact that responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines,” said Ryan Schoen of Project Zero in a blog post.

“We also suspect that vendors have learned best practices from each other, as there has been increasing transparency in the industry.”

RECOMMENDED Dependency confusion tops the PortSwigger annual web hacking list for 2021

However, Schoen cautioned that Project Zero reports may be outliers “in that they may receive faster action as there is a tangible risk of public disclosure (as the team will disclose if deadline conditions are not met) and Project Zero is a trusted source of reliable bug reports”.

Across 2019, 2020, and 2021, Project Zero reported 376 issues to vendors under its standard 90-day remediation deadline, 351 (93.4%) of which were fixed, while vendors declined to fix 14 (3.7%) bugs.

At 25 days, Linux had the quickest average time to a fix, followed by Google (44) and Mozilla (46). The slowest was Oracle (109) but from a small sample of seven bugs, followed by Microsoft (83) and Samsung (72).


Among the three leading open-source browsers – data being unavailable for their proprietary rivals – Chrome had the shortest gap between receiving bug reports to shipping fixes to users – 30 days – followed by Firefox (38 days) and Safari (73).

Project Zero commended Google’s rapid release cycle and additional stable releases for security updates, and Chrome’s recent switch from a six-week to a four-week release cycle.

Catch up with the latest vulnerability disclosure policy news

Apple drew plaudits for faster fix rollouts overall, but was criticized for a large interval between landing WebKit patches and shipping them to users, which “leaves a very long amount of time for opportunistic attackers to find the patch and exploit it prior to the fix being made available to users”, Schoen warned.

Microsoft’s comparative slowness in patching was blamed on “the monthly cadence” of its ‘Patch Tuesday’ updates.

Record VRP payouts

Google has also announced that it paid out a record-breaking $8.7 million in rewards to security researchers under its Vulnerability Reward Programs (VRPs) in 2021.

The Chrome VRP, which covers not only Google Chrome security but that of several other browsers built on Chromium, awarded $3.3 million for 333 bug reports, with the biggest payout, $45,000, awarded for a Chrome OS flaw.

The Android VRP paid out nearly $3 million, double the total rewards across 2020, including $157,000 for a single exploit chain – the highest-ever Android reward.

Ethical hackers donated more than $300,000 of their rewards to charity.

RELATED Google Drive integration errors created SSRF flaws in multiple applications