Google Project Zero: 95.8% of security vulnerabilities are fixed during the 90-day disclosure period

Google Project Zero, a well-known security lab at Google, often discloses security vulnerabilities in various operating systems, software, and hardware. According to Google’s rules, if the vulnerability is not fixed within 90 days, the details of the vulnerability will be made public, in order to urge developers to quickly fix it. Of course, there are some additional situations, such as the Spectre, Meltdown vulnerability of Intel processors, which are more harmful, so Google will give a longer grace period.

Google Security Labs said that since the lab was founded, a total of 1,585 security vulnerabilities have been reported to software and hardware developers and most have been fixed. Some vulnerabilities, such as Windows 10, were disclosed by Google because the vendor failed to deliver a patch. Google said that the details of such vulnerabilities were only 66. That is to say, 95.83% of the vulnerabilities can be fixed before the disclosure period is announced, and the damage caused by the details of the vulnerabilities will be reduced after being repaired.

A large number of vulnerabilities have been properly fixed within the time specified by Google, but the time specified here is not a fixed 90 days, but a grace period (14-day). Google said there were 1,224 vulnerabilities that were fixed during the 90-day normal disclosure period, and 174 security vulnerabilities were fixed during the 14-day grace period granted by Google. However, there are still 36 security vulnerabilities that are disclosed without any security patches. These vulnerabilities are either a developer failure or the product has been terminated. These security vulnerabilities will never receive any updates and fixes, and for users, the vulnerability is far more harmful than the overdue fix.

Via: ZDNet