Which Vendors Fix Bugs the Fastest? Insights from Google Project Zero (2019‑2021)

Over the past three years, which vendor’s programmers are the strongest at fixing bugs? According to Google, Linux takes the lead.

Linux averages only 15 days to fix a bug, the shortest time reported in Google’s latest security‑bug‑fix study.

The data comes from Google’s Project Zero, launched in 2014, which scans operating systems, web browsers and open‑source libraries worldwide for vulnerabilities.

After discovering a vulnerability, Google reports it to the vendor and tracks the remediation progress.

The report covers the period from 2019 to 2021. Overall, vendors have become more proficient: three years ago the average fix time was three months, but by 2021 it dropped to 52 days, with only one bug exceeding its deadline.

And the biggest procrastinator? It turns out to be Oracle.

Google reported 376 issues to vendors, of which 93.4% were fixed, 3.7% were marked WontFix , and 2.9% remain unresolved.

The standard remediation deadline is 90 days with a 14‑day grace period; fixes taking longer than 104 days are considered delayed.

Oracle shows a clear delay pattern: 57% of its bugs were fixed after the deadline, although it only reported seven bugs in total.

Overall, bug‑fix times have been decreasing. Linux now averages just 15 days per bug, while some vendors, including Google itself, saw their average repair time double in 2021 compared to 2020.

In the web‑browser arena, Chrome, WebKit and Firefox were compared from vulnerability disclosure to patch release. Chrome typically resolves bugs within 40 days, while WebKit’s cycle is considerably longer.

Google explains that WebKit’s longer cycle is understandable because it is the only browser engine allowed on iOS, so changes affect all iOS browsers.

Across the past three years, Chrome’s average fix time is about 30 days, making it one of the fastest.

The rapid patching of Chrome vulnerabilities may be linked to its fast release cadence.

In mobile operating systems, iOS reports the highest number of bugs but also the shortest average fix time.

Apple bundles updates for iMessage, FaceTime, Safari/WebKit, and other apps into the iOS system update, inflating the total count.

Android’s security updates are delivered via Google Play Store and are not counted in the report.

One More Thing

The “most delayed” bug selected by Project Zero is an Android vulnerability disclosed on September 2, 2021, which remains unfixed after more than four months.

The issue concerns “vold’s incremental‑fs APIs trust paths from system_server for mounting,” related to the IncFS trust path mechanism.

Reference links:

[1] https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html

[2] https://Bugs.chromium.org/p/project-zero/issues/list?colspec=ID%20Status%20Restrict%20Finder%20Reported%20Deadline%20Remaining%20CVE%20Vendor%20Product%20Summary&q=id%3E%3D2137%20Deadline%3DExceeded%20-Deadline-Grace&can=1