For over a decade, Google's monthly Android Security Bulletins have been a cornerstone of mobile security. However, a significant shift occurred in July 2025, marking a departure from the established norm. Instead of the usual comprehensive list of vulnerabilities, the bulletin was notably empty. This wasn't due to a lack of identified issues; rather, it reflects Google's strategic transition to a 'Risk-Based Update System' (RBUS).
This new approach prioritizes the immediate patching of high-risk vulnerabilities, those actively exploited or part of known exploit chains. These critical fixes are bundled into monthly releases. Less urgent vulnerabilities are addressed in larger, quarterly bulletins. This change directly impacts the frequency and size of these reports. The July 2025 bulletin's emptiness contrasted sharply with the September release, which listed a staggering 119 vulnerabilities, illustrating the consolidation of less critical patches into quarterly cycles.
The RBUS aims to streamline the update process for Original Equipment Manufacturers (OEMs). By focusing on high-risk issues monthly, OEMs can more easily implement timely security patches without being overwhelmed by a constant influx of updates. This is particularly beneficial for manufacturers with extensive product lines and complex update processes.
While this change may not immediately impact users receiving regular monthly updates, it could benefit those who previously experienced less frequent patching. The quarterly releases now contain the bulk of security fixes, encouraging OEMs to adopt at least quarterly update schedules, thereby improving overall device security. However, this approach presents potential drawbacks.
One concern, raised by GrapheneOS, is the extended timeframe between the private release of quarterly updates to OEMs and the public release. This longer window could potentially allow malicious actors more time to exploit vulnerabilities before patches are widely distributed, despite the secure distribution of the private bulletin. Another significant consequence is the cessation of monthly source code releases, impacting custom ROM developers and limiting their ability to provide monthly security updates.
Although Google hasn't publicly announced the RBUS, sources confirm its implementation. The company emphasizes that this shift is ultimately aimed at enhancing Android's security posture by focusing efforts on the most critical vulnerabilities, empowering OEMs to respond more effectively and ultimately safeguarding Android users from potential threats.
---
Originally published at: https://www.androidauthority.com/android-risk-based-security-updates-3597466/
