Project Zero finds that Linux developers fix security flaws faster than Apple, Google or Microsoft

Linux matrix

Whether Linux distributions are more secure than Windows or macOS is the source of on-going debate, but Google’s Project Zero has some interesting findings relating to the patching of security holes.

The security research program at Google has published information relating to security flaws found in software over the course of two years. Between January 2019 and December 2021 the Project Zero team found that Linux developers addresses problems far faster than Apple, Microsoft or Google itself.

See also:

In the report, Google’s Project Zero shares some interesting data, showing that Apple software was found to have 84 security vulnerabilities, Microsoft 80, Google 56, and Linux just 25. But it is the speed and efficiency of fixing problems that it is what matter most.

While Apple was able to fix 87 percent of the bugs within 90 days of the problem being reported, Microsoft managed just 76 percent. Google performed well by fixing 95 percent of security holes inside the 90-day window, while Linux developers fixed an impressive 96 percent.

Looking at the four major platforms — Apple, Google, Linux and Microsoft — it is the Windows-maker that is the slowest at fixing issues. It took Microsoft an average of 83 days to fix bugs, with Apple in second place with 69 days. Google’s bug fixing takes an average of 44 days, but problems with Linux software is addressed at breakneck speed: an average of just 25 days.

Presenting its finding, Project Zero say:

Between 2019 and 2021, Project Zero reported 376 issues to vendors under our standard 90-day deadline. 351 (93.4%) of these bugs have been fixed, while 14 (3.7%) have been marked as WontFix by the vendors. 11 (2.9%) other bugs remain unfixed, though at the time of this writing 8 have passed their deadline to be fixed; the remaining 3 are still within their deadline to be fixed. Most of the vulnerabilities are clustered around a few vendors, with 96 bugs (26%) being reported to Microsoft, 85 (23%) to Apple, and 60 (16%) to Google.

The report conclude by saying:

We’d love to have even more insight into the processes and timelines of our vendors. We encourage all vendors to consider publishing aggregate data on their time-to-fix and time-to-patch for externally reported vulnerabilities. Through more transparency, information sharing, and collaboration across the industry, we believe we can learn from each other’s best practices, better understand existing difficulties and hopefully make the internet a safer place for all.

The full report is available to read here.

Image credit: jivacore / Shutterstock

Author: Martha Meyer