Google has some surprisingly good news about the state of online security right now

A finger pressing a padlock icon
(Image credit: Shutterstock)

Companies are getting much better at fixing security vulnerabilities found in their products, new research from Google is saying, with many firms also now taking less time to address various issues, as well as breaching their deadlines less frequently than in previous years.

Project Zero, Google’s team of security analysts tasked with finding zero-day vulnerabilities (unknown or unpatched flaws that can be abused through malware), recently published a blog post in which it details the 376 issues it found between 2019 and 2021, how vendors responded to the findings, and what that means for the overall cybersecurity posture of the digital realm.

Of the 376 issues, almost all (351 - 93.4%) have been fixed. Just 14 (3.7%) have been marked by their respective vendors as WontFix, while 11 (2.9%) remain active (8 of those have already passed their 90-day deadline). 

Google, Microsoft, and Apple leading the pack

Three major companies make up roughly two-thirds of all these vulnerabilities (65%): Microsoft has had 96 (26%), Apple has had 85 (23%), and Google has had 60 (16%).

The deadline for a vendor to fix an issue and ship an improved version to its customers' endpoints is 90 days, the blog claims. The vendor can also ask for a 14-day grace period, if they promise to release the fix by then. 

That being said, of all the reported vulnerabilities, Apple fixed 87% within that 90-day window, more than Microsoft (76%), or Google (53%). Microsoft has had the most patches issued during the grace period (15 flaws, or 19%).

Google also claims to have been the fastest at addressing these issues, taking an average of 44 days to fix a problem, less than Apple (69), or Microsoft (83).

Keep in mind that these are the figures for the time period of 2019 - 2021. The best part comes when these figures are broken down by year, and compared.

In 2019, Apple took 71 days, on average, to fix an issue. In 2020 - 63. In 2021 - 64.

For Microsoft, it was 85, 87, and 76 respectively, while for Google, it was 49, 22, 53. Aside from Google, who’s slowed down a bit between 2020 and 2021, these companies have been consistently cutting down on time needed to address various vulnerabilities. 

“Perhaps most impressively, the others not represented on the chart have collectively cut their time to fix in more than half,” Project Zero further explains.

The researchers say they see “a number of promising trends emerging from the data,” including vendors fixing almost all of the bugs they get, as well as generally doing it within the 90-day deadline. Furthermore, over the past three years, they’ve accelerated their patch delivery.

“We suspect that this trend may be due to the fact that responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines. We also suspect that vendors have learned best practices from each other, as there has been increasing transparency in the industry,” the report concludes.

Thousands of vulnerabilities, millions in paid rewards

Last year was a record-breaker for the company’s Vulnerability Reward Programs (VRPs), as well, Google confirmed. Over the course of 2021, Google and the wider cybersecurity community discovered “thousands of vulnerabilities”, with the company awarding the community a record-breaking $8,700,000.

Almost 700 researchers have been paid out for their hard work in discovering new bugs, while the highest reward going out peaked at $157,000. 

That reward went to a researcher who discovered an exploit chain in Android. 

Speaking of the mobile platform, the Android VPR doubled its 2020 total payouts last year, rising to almost $3 million. A total of 115 Chrome VRP researchers were rewarded for 333 unique security bugs found. The company paid out a total of $3.3 million in VRP rewards here.

Finally, the company handed out $550,000 in rewards to 60 researchers discovering flaws in its Google Play platform.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.