There’s seemingly no stopping the trend that every new day we are facing the greatest risks ever seen when it comes to being online, and that’s why cybersecurity in an ongoing big deal for both individuals and organizations. No one likes to be the recipient of malware or to have their private information exposed when they are just going about their day to day online, but it’s a very real possibility.
Companies that make digital products should be proactive in making sure those products are safe to use when connected to the web, but that is something that’s been slow to come around on a grander scale. Fortunately now it is though, and major ones like Google, Apple, and Microsoft have been much better about finding the right preventative fixes and making them available to people in a timely manner.
Here at 4GoodHosting we are like any quality Canadian web hosting provider in that we can relate to the importance of security patches being made available, especially for ones that have no choice but to handle sensitive data provided by customers or business associates when working together with them. Nowadays as cybersecurity threats becomes more pronounced and far reaching, the means of addressing and thwarting them is advancing in step better than at any time before.
93.4% Fix Rate
New research from Google indicates companies are getting much better at fixing security vulnerabilities found in their products. Many firms also now taking less time to address various issues along with going past their established deadlines for patch fixes less frequently than in previous years.
Project Zero is Google’s team of security analysts tasked with finding zero-day vulnerabilities. These are unknown or unpatched flaws that can be abused through malware. The team recently published a blog post pointing out 376 issues it found between 2019 and 2021 and then detailing how vendors responded to the findings, and what the overall successes of those responses meant for overall cybersecurity in the digital realm.
Of those 376 issues, 351 of them (93.4%) have been fixed and only 14 (3.7%) have not had any type of fix applied to them. 11 (2.9%) remain active but 8 of those were classified as having already passed their 90-day deadline.
Google, Microsoft, and Apple Doing Best
Roughly two-thirds of all these vulnerabilities (65%) are attributable to these 3 major companies. Microsoft has had 96 (26%), Apple 85 (23%), and Google 60 (16%). In the evaluation 90 days was the deadline for a vendor to fix an issue and ship an improved version to its customers' endpoints. A 14-day grace period was made available if the vendor asked for it while still promising to deliver a patch fix.
Apple did best with all the reported vulnerabilities, fixing 87% of them within that 90-day window. Microsoft came in second at 76%, and then Google with 53% fixed. Microsoft has had the most patches issued during the grace period (15 flaws, or 19%). Google was best with seeing to them fastest - an average of 44 days to fix a problem compared to Apple’s 69 days or Microsoft’s 83 days.
These numbers are more significant when you look at them in the comparison to how long it took these 3 to achieve the same thing in years previous. It took Apple 71 days to fix an issue on average in 2019 and in 2020 it was 63. It took Microsoft 85 days to do it in 2019 and then moving up to 87 for 2020. Google didn’t move much either way, but these companies have been consistently cutting down on time required for addressing various vulnerabilities.
The good news is that now vendors are fixing almost all of the bugs they get, and doing it relatively quickly. The past three years have seen accelerated patch delivery too, having learned best practices from each other as well as the influence of increasing transparency in the industry too.
Paid Rewards
Google has a Vulnerability Reward Programs (VRP), and through 2021 Google and the wider cybersecurity community have discovered thousands of vulnerabilities. Some of which have been fixed by those outside of the company for paid rewards. The sum of which is apparently in the vicinity of $800k. Nearly 700 researchers have been paid out for their hard work in discovering new bugs, with the highest reward being $157,000 and going to a researcher who discovered an exploit chain in Android.
The Android VPR paid out twice what it did last year, rising to almost $3 million. A total of 115 Chrome VRP researchers were rewarded for 333 unique security bugs found. and payouts for that totalled into the millions.
