Software vendors took an average of 52 days last year to install security fixes for problems found by Google’s Project Zero.
Fixing zero day vulnerabilities is taking less time on the part of software providers. This conclusion Project Zero, from Google, brings out in its report.
These are vulnerabilities that Project Zero found and alerted vendors to. Last year, vendors responded within 52 days on average. Three years ago, it took an average of 80 days to resolve a vulnerability.
Deadline met
Almost all vendors also met the 90-day deadline, which is standard within the industry. If the initial deadline was not met, another two-week period is provided within the industry as a margin.
Between 2019 and 2021, Project Zero reported 376 zero day vulnerabilities to vendors. Over this period, only five percent of the alerts issued were not addressed within 90 days. In 2021, only one vulnerability was not addressed within this period.
Oracle and Microsoft slow to respond
Most vulnerabilities were identified at Apple (84), Microsoft (80) and Google (56). Vendors that responded fastest to vulnerabilities were Linux, Mozilla and Google. Linux was definitely the fastest with an average repair time of 25 days, at Google this increased to 44 days.
Oracle was by far the slowest with an average of 109 days, although only 7 problems were identified there as well. Microsoft also takes its time to fix problems, averaging 83 days.
