Project Zero Reports Faster Bug Patching
Monday, 28 February 2022

In 2021 it took an average of only 52 days for bugs reported by Project Zero to be fixed, a significant increase in speed compared to an average time of 80 days three years ago. Linux produced the fastest fixes and Google the slowest.

Formed by Google in 2014, Project Zero is a team of security researchers who try to improve the safety and security of the Internet by performing vulnerability research on popular software like mobile operating systems, web browsers, and open source libraries. 
In the overview to his recent report on Project Zero metrics which looked at bugs reported between January 2019 and 2021, Ryan Schoen writes:
For nearly ten years, Google’s Project Zero has been working to make it more difficult for bad actors to find and exploit security vulnerabilities, significantly improving the security of the Internet for everyone. In that time, we have partnered with folks across industry to transform the way organizations prioritize and approach fixing security vulnerabilities and updating people’s software. 
When Project Zero identifies a vulnerability it is referred to its "vendor" and they are given 90 days in which to fix it and ship a patched version to the public. There is however a 14-day grace period if a vendor confirms they plan to release a fix by the end of the extended 104-day window.
During the 3-year period under scrutiny Project Zero reported 376 issues to vendors. Of these 351 (93.4%) were fixed,14 (3.7%) were marked as WontFix by the vendors and 11 (2.9%)  remain unfixed, 3 of which were still within the deadline. 

Bug fix time 2019-2021, by bug report volume






Number of bugs (average days to fix)


61 (71)

13 (63)

11 (64)


46 (85)

18 (87)

16 (76)


26 (49)

13 (22)

17 (53)


12 (32)

8 (22)

5 (15)


54 (63)

35 (54)

14 (29)


199 (67)

87 (54)

63 (52)

*Others in the table include Adobe, Mozilla, Samsung, Oracle, GitHub, Apache, Facebook, Canonical and many more.

The table gives the number of bugs per year and shows a trend towards fewer bugs per year, the exception being Google. The longest times to fix bugs was in 2019 with a distinct improvement in 2020, apart from Microsoft. In 2021 the average days to fix was shorter over all vendors, despite longer times than the previous year for Apple and Google.  

Looking at the number of bugs per vendor, Apple and Microsoft stand out as having the largest number of vulnerabilities - weighted towards the first year -  and being the slowest to issue a patch and Linux, which has a relatively low number of vulnerabilities, leads in tems of alacrity. 
Noting that vendors are now fixing almost all of the bugs that they receive  and that in 2021 only one bug exceeded the 90-day deadline, Schoen comments:
We suspect that this trend may be due to the fact that responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines. We also suspect that vendors have learned best practices from each other, as there has been increasing transparency in the industry.


More Information

A walk through Project Zero metrics

Related Articles

GitHub Security Bug Bounty Milestones

Mozilla Increases Bug Bounty

Who Are The Hackers and Why 

Over $21 Million In Google Bug Bounty

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


CISA Offers More Support For Open Source

The Cybersecurity and Infrastructure Security Agency (CISA) has announced a number of key actions that they hope will improve the open source ecosystem.

Azure AI And Pgvector Run Generative AI Directly On Postgres

It's a match made in heaven. The Azure AI extension enables the database to call into various Azure AI services like Azure OpenAI. Combined with pgvector you can go far beyond full text search. Let's  [ ... ]

More News

raspberry pi books



or email your comment to:

Last Updated ( Monday, 28 February 2022 )