Google’s Project Zero released a report covering its work in 2021. It found that vendors took an average of 52 days to fix reported security vulnerabilities.
Between 2019 and 2021, Project Zero researchers reported 376 issues to vendors under their 90-day deadline.
Of those 376 issues, more than 93% of these bugs have been fixed and over 3% have been marked as “WontFix” by the vendors, according to Project Zero.
The researchers added that 11 other bugs remain unfixed and 8 have passed their deadline to be fixed. Microsoft, Apple, and Google account for 65% of the bugs discovered. Microsoft led the way with 96 bugs, followed by 85 from Apple and 60 from Google.
“Overall, the data show that almost all of the big vendors here are coming in under 90 days, on average. The bulk of fixes during a grace period comes from Apple and Microsoft (22 out of 34 total). Vendors have exceeded the deadline and grace period about 5% of the time over this period,” Project Zero researchers said.
“In this slice, Oracle has exceeded at the highest rate, but admittedly with a relatively small sample size of only about 7 bugs. The next-highest rate is Microsoft, having exceeded 4 of their 80