Ongoing changes to Android security patches due to AI vulnerability discovery
a day ago
- #Android Security
- #GrapheneOS
- #Backport Policy
- Google is reducing backport support for older Android versions, limiting critical vulnerability patches to the most recent 2 major releases (Android 16 and 17).
- Externally reported high and critical vulnerabilities are still backported for about 3 years, but internal discoveries by Google (often via AI) have stricter limits.
- Android Security Bulletins now omit moderate and low severity patches and are delayed by 2-4 months after disclosure; only Samsung flagships, Pixels, and GrapheneOS ship patches early.
- Bare minimum security patches now require being on Android 16, 16 QPR2, or 17, with Android 18 becoming the sole source for current high/critical patches upon release.
- GrapheneOS plans to work with Motorola and Qualcomm for serious patches, port to the latest Linux LTS, and may reverse-engineer binary patches if Google doesn't open-source security previews.