Google has updated its policy for distributing Android security patches and disclosing vulnerabilities. The change affects how and when patch details become available to the broader developer and user community.
The GrapheneOS project, an open-source Android-based operating system focused on security and privacy, reported that Google’s October Android Security Bulletin contained no vulnerability information. By contrast, the September bulletin listed 114 distinct vulnerabilities.
New Embargoed Patch Distribution Model
Under the revised policy, Google now shares Android security patches exclusively with original equipment manufacturers (OEMs) through closed channels. These OEMs must sign a non-disclosure agreement (NDA) that prohibits them from disclosing the source code of the patches for three months after receipt. During this embargo period, OEMs may distribute only binary builds that include the fixes.
Although the patch code remains licensed under the Apache open-source license, the NDA temporarily restricts its redistribution. Google cites a “desire for increased security” as the rationale, aligning with the principle of “Security through Obscurity.”
GrapheneOS Adapts with Dual Release Channels
GrapheneOS has established a partnership with an OEM to receive embargoed patches ahead of public release. Consequently, the project will maintain two release channels: one offering fully reproducible builds based on the Android Open Source Project (AOSP) without closed security fixes, and another incorporating embargoed patches. The source code for the latter will become publicly available only after the three-month embargo expires.
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
