A walk through Project Zero metrics
Posted by Ryan Schoen, Project Zero tl;dr In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago. In addition to the average now being well below the 90-day deadline, we have also seen a dropoff in vendors missing the deadline (or the additional 14-day grace period ). In 2021, only one bug exceeded its fix deadline, though 14% of bugs required the grace period. Differences in the amount of time it takes a vendor/product to ship a fix [...]