Project Zero researchers see promising trends in vulnerability fixes

Written by
Feb 10, 2022 | CYBERSCOOP

Big tech vendors generally are remediating serious bugs faster than they were three years ago, according to a new report from Google’s Project Zero.

The data — while limited to vulnerabilities the group itself reported between January 2019 and December 2021, and influenced by what the group’s researchers have chosen to pursue — offers “a number of promising trends,” according to Ryan Schoen of Project Zero.

“Vendors are fixing almost all of the bugs that they receive, and they generally do it within the 90-day deadline plus the 14-day grace period when needed,” he wrote. In 2021 there was not “a single 90 day deadline exceeded,” which could be because responsible disclosure policies are becoming more standard across the industry, “and vendors are more equipped to react rapidly to reports with differing deadlines,” he wrote.

Under the team’s vulnerability disclosure policy, it privately tells a vendor about a bug first, with the warning that it will publish the information after 90 days if the vendor takes no action. Vendors can get a 14-day extension beyond those 90 days if a patch is already on its way.

Project Zero reported 376

Read More: