Google Shifts Android Security Updates To Risk-Based Triage System (androidauthority.com) 1
Google has restructured Android's decade-old monthly security update process into a "Risk-Based Update System" that separates high-priority patches from routine fixes. Monthly bulletins now contain only vulnerabilities under active exploitation or in known exploit chains -- explaining July 2025's unprecedented zero-CVE bulletin -- while most patches accumulate for quarterly releases.
The September 2025 bulletin contained 119 vulnerabilities compared to zero in July and six in August. The change reduces OEM workload for monthly updates but extends the private bulletin lead time from 30 days to several months for quarterly releases. The company no longer releases monthly security update source code, limiting custom ROM development to quarterly cycles.
The September 2025 bulletin contained 119 vulnerabilities compared to zero in July and six in August. The change reduces OEM workload for monthly updates but extends the private bulletin lead time from 30 days to several months for quarterly releases. The company no longer releases monthly security update source code, limiting custom ROM development to quarterly cycles.
It's pretty clear Google hates custom ROMs (Score:3, Insightful)
The business reasons behind this decision notwithstanding, Google hates custom ROMs.
I'm sure pushing source code releases to quarterly and hindering ROM development is only seen as a benefit on their side.
The recent decision to start severely limiting sideloading and for all apps to be verified by Google indicates the writing is on the wall. The days of a more open Android OS are coming to a close.