Linux developers faster at fixing security bugs than Microsoft and Apple

Linux developers take less time to patch security vulnerabilities than the teams at large software companies — including Microsoft, Apple, and Google.

That is according to Google’s Project Zero, a research initiative that reports security vulnerabilities to the largest software vendors and assesses their performance in addressing them based on a 90-day deadline.

Vendors can also request a 14-day grace period if they confirm a plan to release the fix by the end of the 104-day window.

In their latest post, Project Zero assessed the vendors’ reactions to 376 bugs reported between January 2019 and December 2021.

Most of the vulnerabilities were clustered around a few vendors, including 96 from Microsoft, 85 from Apple, and 60 in Google products.

Overall, 351 bugs were fixed, while 14 were marked as WontFix by the vendors.

Eleven of the bugs remained unfixed, of which eight had passed the deadline for fixing, and three were still within the deadline.

Improvement in patch time

According to the researchers, vendors took an average of 52 days to fix their security vulnerabilities, a marked improvement over the 80 days it took three years ago.

There was also a dropoff in vendors missing the deadline or the additional 14-day grace period.

“In 2021, only one bug exceeded its fix deadline, though 14% of bugs required the grace period,” said Project Zero’s Ryan Schoen.

The team broke down each vendor’s deadline adherence and fix time, shown in the table below.

Notably, only 25 bugs were reported to Linux developers, and 24 were fixed by day 90. Only one exceeded the deadline and grace period.

But perhaps more impressive was that it only took an average of 25 days for the Linux devs to fix their bugs, far below the average across all vendors.

This was also much faster than Microsoft and Apple’s average days to fix, which stood at 83 and 69, respectively.

Of the major vendors, Oracle took the longest to fix bugs, with an average of 109 days.

In addition, its teams had only managed to fix 3 out of 7 bugs within the 90-day deadline.

Schoen said the difference in the time it takes a vendor to ship a fix to users reflects their product design, development practices, update cadence, and general processes towards security reports.

“We hope that this comparison can showcase best practices, and encourage vendors to experiment with new policies,” Schoen said. 

A full list of Project Zero’s discovered vulnerabilities can be found on the Bug Tracker.

Now read: Google nukes two-factor authenticator virus app

Don't miss the latest news

• Add MyBroadband as a preferred source in Google Search
• Follow MyBroadband on Google News