You may be wondering: is Linux less secure than proprietary systems? Or else, this seems absurd to you. You are right.
And the data proves it. Google’s security research team, Project Zero, recently demonstrated that Linux developers fix security vulnerabilities the fastest.
Faster than anyone else…including Google.
Free software developers faster
The Project Zero team analyzed fixes for vulnerabilities reported between January 2019 and December 2021. And they found that free software programmers patched issues on Linux in just 25 days, on average. Also, their time to fix security vulnerabilities has improved, as it went from 32 days in 2019 to just 15 in 2021.
Its competitors are not as good students. For example, Apple has a 69 day deadline, Google 44 days and Mozilla 46 days. At the bottom of the pack are Microsoft, with an average of 83 days, and Oracle, which has only experienced a handful of security issues, with 109 days. According to the team, the rest — mostly free software organizations and companies like Apache, Canonical, Github, and Kubernetes — got a respectable 44 days.
Generally speaking, everyone is getting faster and faster at fixing security flaws. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago, the average was 80 days.
Overall reduced correction times
Google’s security team notes that Microsoft, Apple, and Linux in particular have reduced their time to fix vulnerabilities over the past two years.
When it comes to mobile operating systems, Apple takes an average of 70 days to fix bugs on iOS. That is, barely better than Google, which averages 72 days on Android. On the other hand, iOS has many more bugs than Android – respectively 72 against 10.
On browsers too, bug fixing times are getting shorter. Chrome resolved its 40 issues in an average of just under 30 days. Mozilla Firefox, with only 8 security vulnerabilities, has an average fix time of 37.8 days. As for Webkit, Apple’s web browser engine, mainly used by Safari, the record is much worse: more than 72 days, on average, to fix bugs.
More transparency for more security
The Project Zero team gives developers 90 days to fix their security issues. Besides the fact that the average is now well below this time frame, the team has also seen a drop in the number of vendors not meeting the 90 days or the additional 14 day grace period.
Last year, only one vulnerability exceeded this time limit. This was a security issue on Android. However, 14% of reported bugs required the additional two weeks. Either way, everyone is doing a much better job of fixing security vulnerabilities than in previous years.
Why ? The Project Zero team believes this is because “responsible disclosure policies have become the de facto standard in the industry, and vendors are better equipped to respond quickly to reports with varying timelines.” On the business side, thanks to more transparency, they learned from each other by observing what was being done. I attribute a lot of that to the growth of open-source development methods. It is becoming increasingly clear that it is in everyone’s interest to act together to fix bugs.
Source: ZDNet.com