Android's New Security Plan: Risk-Based Updates Explained
For a solid decade, Google has consistently released monthly Android Security Bulletins, detailing the fixes for various vulnerabilities, regardless of whether their own Pixel devices were ready for an update. That consistent rhythm, however, has changed. I think it's a change for the better, though it might come with some risks.
The July 2025 bulletin marked a turning point: for the first time in 120 releases, it didn't list a single vulnerability! Fast forward to September 2025, and we saw a whopping 119 vulnerabilities listed. This wasn't because Google suddenly stopped finding vulnerabilities in July. Instead, it showed a strategic shift in how they handle Android security updates.
The core idea? To help device manufacturers address the most critical, high-risk issues quickly, better shielding users from immediate threats. For example, if a vulnerability is being actively exploited, that will be prioritized. It's all about focusing on what's dangerous right now.
How Google's Handling Vulnerabilities
Google's been proactive in bolstering Android's defenses. They're using memory-safe languages like Rust in new code and implementing anti-exploitation measures. But, the landscape is always changing, and some vulnerabilities are always waiting to be discovered.
When vulnerabilities are found, they're usually reported privately by security researchers. Google's security team then jumps in to verify, assess the impact, and assign a severity rating. After validation, a unique identifier is assigned, and engineers work to develop a patch. It's a complex process that involves many smart people.
I think the biggest challenge for Google is that they can't directly push updates to all Android devices. They rely on manufacturers to do that. That's why they created the Android Security Bulletin (ASB). It's a way to coordinate the release of numerous security patches at once, giving manufacturers time to prepare.
However, even with this lead time, some manufacturers struggle to keep up. Many don't commit to monthly updates for all their devices, especially budget and mid-range ones. This leaves many Android devices vulnerable.
The "Risk-Based Update System"
Google's solution is the "Risk-Based Update System" (RBUS). Instead of bundling every patch into the next ASB, Google prioritizes only "high-risk" vulnerabilities in monthly releases, as I mentioned earlier. Other fixes are rolled into quarterly ASBs.
This approach offers benefits for manufacturers. Since monthly bulletins focus on high-risk issues, some might even list zero fixes, which was the case in July 2025. This gives manufacturers the flexibility to release updates when they deem necessary. However, Samsung and Qualcomm may list multiple CVEs in their own monthly bulletins.
On the flip side, quarterly ASBs will be larger, aligning with Android's new quarterly release schedule. This encourages manufacturers to adopt at least a quarterly update schedule for better protection.
From a user perspective, if you're already getting monthly updates, you'll likely continue to receive them. If not, this change might help your manufacturer deliver them more consistently. At the very least, it should make those quarterly updates more impactful.
There's a potential downside, though. With longer lead times for quarterly updates, there's a risk that vulnerability details could leak, giving malicious actors more time to develop exploits. While the private ASB is shared securely, it's accessible to a wide range of engineers, increasing the chances of a leak. As a result, Google is no longer releasing the source code for monthly security updates, only quarterly ones. This, in conjunction with other delays in OS source code, means most custom ROMs can’t ship monthly updates anymore.
Source: AndroidAuthority