Pixel's Monthly Security Bulletins to List Only High-Risk Security Flaws

Google has made a major change to how it releases the monthly Android Security Bulletin (ASB). In July, the bulletin for Pixel phones listed no security vulnerabilities. But by contrast, the September release counted 119 flaws. This striking difference was not accidental but tied to a new strategy Google is calling the Risk-Based Update System (RBUS).

Typically, Google issues a public ASB on the first Monday of every month. Each bulletin contains newly discovered vulnerabilities and fixes. However, there has always been another version of the ASB that Google sends to phone manufacturers and chip suppliers 30 days earlier, giving them time to test solutions before the details go public.

The RBUS system changes how much of this information is delivered. Instead of listing all detected vulnerabilities, Google now limits the monthly ASBs to high-risk flaws, which include issues already being exploited or exploit chains linking multiple vulnerabilities together. Lower-risk ...