Change in cadence of Android Security Bulletins

July 2025

 

The comprehensive Android Security Bulletin is transitioning to a quarterly release schedule, with the first such bulletin slated for September 2025. This means that following the Android 16 Q2 2025 release, the June 2025 bulletin will be the final comprehensive monthly release. Going forward, beginning in July 2025, any monthly bulletins published will be limited to "Advisory Class" vulnerabilities only.

These full, comprehensive bulletins will be released in March, June, September, and December, generally on the first Monday of the month. In the months between these quarterly releases, monthly updates will still be provided, but they will exclusively feature "Advisory Class" vulnerabilities. These are defined as crucial, high-priority issues that demand immediate attention, such as those actively being exploited or those with a significant impact on users. Any other resolved issues from those interim months will be consolidated and included in the subsequent quarterly bulletin.

Regarding Security Patch Levels (SPLs), both quarterly and advisory bulletins will continue to include -01 and -05 sections, offering flexibility for partners. The format of the quarterly bulletin is expected to remain largely consistent, though it will naturally encompass a greater volume of fixes accumulated over the quarter. A new section will also be added to the bulletin header to prominently highlight any Advisory Class fixes. This change aims to minimize the impact on OEM patching processes; if an existing security update schedule already meets compliance requirements, it will remain valid.

This shift does not heighten security risks for non-critical issues, as the monthly "Advisory Class" bulletins ensure urgent matters are addressed promptly. While fixes are continuously developed and tested, this change primarily affects the reporting and release cadence of the full patch set. OEMs can now ship fixes in their builds even before they are officially included in the Android bulletin. If an OEM releases a fix early, they are permitted to reference it by its CVE and Android ID in their documentation.

It is recommended to review and adjust existing compliance policies to align with the new quarterly Android Security Bulletin cadence. This will ensure your policies accurately reflect the release schedule for comprehensive security updates. OEMs may choose to still release monthly updates. Please reach out to your OEMs for details on their planned release cycle.