Google might be trying to package critical security updates with a subscription in the future. Looks like this is the first step to make users accept they’re fine without all security patches then soon, hey, why not create a subscription for people who want them immediately?

Instead of bundling all available security patches into the next ASB, Google now prioritizes shipping only “high-risk” vulnerabilities in its monthly releases. The majority of security fixes, meanwhile, will be shipped in quarterly ASBs. Google defines “high-risk” vulnerabilities as issues that are crucial to address immediately, such as those under active exploitation or that are part of a known exploit chain. This designation is based on real-world threat level and is distinct from a vulnerability’s formal “critical” or “high” severity rating.

Reckless behavior! You cannot adequately rate a vulnerability’s real risk, and we have a very limited view of what’s being exploited in the wild. Threat actors don’t exactly publish their successes, and even the smallest bugs can be used to build powerful primitives in ways that can be really surprising (e.g. a single off-by-one null byte overflow that seems minor can lead actual code execution with sufficient control of the heap). Picking and choosing is a direct security compromise that makes Android less secure no matter which way you slice it.

This reads to me as sugar-coating a cost-cutting measure. “Prioritize fixing and patching the highest-risk ones first” my ass. When you know of a bug that could have security relevance, you fix that bug. This just says you can’t afford the developers to actually fix your broken code.

I don’t really see how delaying patches makes android any more secure than a monthly release.

Sure, it’s probably a tradeoff between the time it takes to ship security patches and might help some vendors to at least ship quaterly updates, but … it keeps known vulnerabilities unpatched for up to three months.