Software vendors take an average of 52 days to resolve reported security issues. This is concluded by Google security researchers on the basis of last year’s findings.

Under the banner of Project Zero, Google’s security specialists actively hunt for threats in software by Google and other vendors. Threats are reported to vendors, who receive 90 days to resolve the issue.

In 2021, vendors took an average of 52 days to resolve reported issues. In 2020, the average was 54 days; in 2019, vendors took 67 days. Apple (62 days) and Microsoft (76 days) took the longest in 2021. Google itself took an average of 54 days last year. The Linux Foundation was the fastest, with an average of 15 days.

In 2021, only one party exceeded the 90-day limit. In 2020 and 2019, the deadline was missed nine times on average.

A total of 376 bugs were reported to vendors by Project Zero between 2019 and 2021. 93 percent of reported issues were fixed. Only 3 percent are expected to remain unsolved. Microsoft had the most security problems, followed by Apple and Google itself.

Over the past three years, Oracle took the longest to complete bug fixes (109 days), followed by Microsoft (83 days) and Samsung (72 days). Strikingly, a mere seven bugs originated from Oracle software.

Mobile operating systems and web browsers

The researchers also reviewed the number of problems in mobile operating systems and browsers. iOS had the most (76), followed by Samsung Android devices (10) and Google Pixel (6).

Most web browser bugs stemmed from Chrome (40), which took slightly more than 5 days to patch on average. WebKit — browser engine in iOS — recorded 27 bugs and an average patch period of 12 days. Firefox had 8 bugs and an average patch period of 17 days.

Researchers satisfied, more transparency desired

The Project Zero researchers are positive about the developments. The results underscore that most security issues are resolved in a decreasing period of time. Additionally, more and more organizations tweak their disclosure policies to take responsibility.

The researchers call on software vendors to draw up a systematic patch plan for security problems. Furthermore, vendors are urged to publicize the time they expect to require for patches, which holds them to a deadline and keeps end users informed. Project Zero concludes that more transparency ultimately increases software and Internet security