Google says that Linux developers do a better job of fixing vulnerabilities than developers working at Apple, Microsoft, and Google itself. While on average in Linux bugs are corrected in 25 days, in Microsoft it takes more than 80.
This is data that has been published directly by the security experts from Project Zero, that team of Google hackers who have been pressuring companies for a few years and disclosing security flaws so that they can be corrected as soon as possible.
The good news is that, in general, all vulnerabilities are being fixed faster
While Linux developers are getting patches out faster than everyone else and have improved the speed between 2019 and 2021, the numbers released by Project Zero indicate that not only are they doing better, they just are better than the rest.
In Project Zero they examined all the fixed vulnerabilities that had been reported between January 2019 and December 2021. From there they found that open source developers fixed Linux problems in an average of 25 days . And what in 2019 took them 32 days, in 2021 it took only 15.
Linux developers fixed vulnerabilities in an average of just 15 days during 2021
Compared to this, everyone else is way behind, though better than in previous years. The company that follows the most closely is Google itself, with an average of 44 days, as well as various organizations and open source companies such as Apache, Canonical, Github and Kubernetes (listed as “Other”)*.
|Distributor||Bugs in 2019
(days to fix)
|Bugs in 2020
(days to fix)
|Bugs in 2021
(days to fix)
|Apple||61 (71)||13 (63)||11 (64)|
|Microsoft||46 (85)||18 (87)||16 (76)|
|26 (49)||13 (22)||17 (53)|
|Linux||12 (32)||8 ( 22)||5 (15)|
|Others*||54 (63)||35 (54)||14 (29)|
|TOTAL||199 (67)||87 (54)||63 (52)|
Further back we have Mozilla with 46 days, Apple with 69 days, and Microsoft appears at the bottom of the table, a company that takes an average of 83 days to correct its bugs. While Oracle fares even worse, averaging 109 days, the company has had to deal with far fewer security issues by comparison (7 bugs vs. Microsoft’s 80 in the same time period).
Open source programmers are fed up: they want the companies that benefit from their free work to start paying
Project Zero is famous for its 90-day grace period, one that Microsoft has had a hard time with more than once. When the security team discovers a vulnerability, they give the software vendor that time to fix the bug before making it public. Currently, the overall average number of days to fix vulnerabilities is 61 days, so the pressure seems to be having a good effect at least.
In fact, Microsoft itself has improved significantly in this regard, going from 85 days in 2019 to only 76 in 2021. During the past year only one of the bugs passed the grace period, versus 9 in 2020.