Saturday, February 12, 2022

The Time to Fix Web Security Bugs

Bruce Lawson:

One of the reasons Apple gives for the #AppleBrowserBan is to protect user’s privacy and security by fixing bugs quickly:

“By requiring use of WebKit, Apple can provide security updates to all our users quickly and accurately, no matter which browser they decide to download from the App Store.”

Ryan Schoen, Project Zero (Hacker News):

Specifically: after a vendor receives a report of a security issue, how much of the “time to fix” is spent between the bug report and landing the fix, and how much time is spent between landing that fix and releasing a build with the fix?


Chrome is currently the fastest of the three browsers, with time from bug report to releasing a fix in the stable channel in 30 days. The time to patch is very fast here, with just an average of 5 days between the bug report and the patch landing in public.


WebKit is the outlier in this analysis, with the longest number of days to release a patch at 73 days.


For Apple, we’re pleased with the acceleration of patches landing, as well as the recent lack of use of grace periods as well as lack of missed deadlines.


Comments RSS · Twitter

Leave a Comment