Redazione RHC : 17 September 2025 10:46
Google has changed its Android security update strategy, breaking its tradition of disclosing vulnerabilities monthly for the first time in a decade. In its July 2025 bulletin, the company didn’t report a single vulnerability, the first time in 120 publications. But in September, the list included 119 fixes at once.
The reason isn’t that July was “safe,” but that Google is moving to a new Risk-Based Update System (RBUS) model. Now, monthly updates will only contain fixes for “high-risk” vulnerabilities, meaning those actively exploited or part of known attack chains. The remaining vulnerabilities will be grouped into major quarterly releases: in March, June, September, and December.
The company emphasizes that this approach will simplify the work of smartphone manufacturers. They will have to integrate fewer patches into monthly updates, which will increase the likelihood of their timely release. At the same time, manufacturers will be able to focus on larger quarterly updates, which will become the primary channel for distributing most fixes.
Google emphasizes that previously, many companies limited security updates to a bimonthly or quarterly cadence, especially for cheaper models. The new schedule should help uniform deployment and ensure that devices are protected at least quarterly.
The traditional vulnerability management cycle remains the same. Researchers report discovered issues, Google confirms them, and assigns them CVE identifiers. Engineers then develop a fix, and if the vulnerability is critical and affects Project Mainline components, the update can be distributed directly via Google Play System Update.
The Android Security Bulletin, available in both public and closed versions, remains a key element. The closed bulletin is sent to vendors 30 days before publication to give them time to test patches. This period will now be longer for quarterly releases, raising concerns among third-party developers.
Therefore, GrapheneOS representatives warn: the longer the interval between distribution and publication, the greater the risk of information leaking about vulnerabilities that can be exploited by attackers. Although for now, this remains a hypothetical threat.
Another disadvantage of the new process is that patch source code is now only published for quarterly updates. This further complicates matters for the custom ROM community, which will no longer be able to include monthly patches in a timely manner.
Despite the changes, Google assures that users whose devices already receive monthly updates will continue to receive them. For others, the move to RBUS should improve the predictability and frequency of updates. “Android and Pixel fix vulnerabilities monthly, but we always prioritize the most risky ones,” a company spokesperson said.
Redazione