Google Shifts Android Security Updates to a Risk-Based System
Google has altered its approach to Android security updates, breaking with a decade-long tradition of monthly vulnerability disclosures. In the July 2025 bulletin, the company reported no vulnerabilities whatsoever—a first in 120 publications. Yet by September, the list had suddenly swelled to 119 fixes.
This shift did not signify a “safe” July, but rather the introduction of Google’s new Risk-Based Update System (RBUS). Under this model, monthly updates will contain only patches for “high-risk” vulnerabilities—those actively exploited or forming part of known attack chains. All other flaws will be bundled into major quarterly releases in March, June, September, and December.
The company notes that this strategy should simplify the work of smartphone manufacturers. With fewer patches to integrate into monthly updates, vendors are more likely to publish them on time, while reserving greater effort for quarterly releases that will become the primary channel for the majority of fixes.
Google further reminds that many manufacturers previously limited updates to once every two or three months, especially for budget models. The new cadence is intended to standardize the process and guarantee at least quarterly protection for all devices.
The traditional vulnerability-handling cycle remains unchanged: researchers report flaws, Google verifies them, assigns CVE identifiers, and engineers craft fixes. If a flaw is critical and affects Project Mainline components, the patch may be delivered directly via Google Play System Update.
The Android Security Bulletin continues to play a central role, published in both public and private versions. The private bulletin is sent to manufacturers 30 days before publication to allow for patch testing. For quarterly releases, however, this lead time will be extended—a change that has raised concerns among third-party developers.
Representatives of GrapheneOS caution that the longer the window between distribution and publication, the higher the risk of vulnerability details leaking to malicious actors—though this remains a theoretical danger for now.
Another drawback is that source code for fixes will now be published only with quarterly updates, complicating matters for the custom-ROM community, which can no longer promptly integrate monthly patches.
Despite the changes, Google assures that users whose devices already receive monthly updates will continue to do so. For others, the transition to RBUS should bring greater predictability and more consistent protection. “Android and Pixel address vulnerabilities on a monthly basis, but priority is always given to those posing the highest risk,” a company representative affirmed.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
