Knowledge Base Article

Change in cadence of Android Security Bulletins

July 2025

 

The comprehensive Android Security Bulletin is transitioning to a quarterly release schedule, with the first such bulletin slated for September 2025. This means that following the Android 16 Q2 2025 release, the June 2025 bulletin will be the final comprehensive monthly release. Going forward, beginning in July 2025, any monthly bulletins published will be limited to "Advisory Class" vulnerabilities only.

These full, comprehensive bulletins will be released in March, June, September, and December, generally on the first Monday of the month. In the months between these quarterly releases, monthly updates will still be provided, but they will exclusively feature "Advisory Class" vulnerabilities. These are defined as crucial, high-priority issues that demand immediate attention, such as those actively being exploited or those with a significant impact on users. Any other resolved issues from those interim months will be consolidated and included in the subsequent quarterly bulletin.

Regarding Security Patch Levels (SPLs), both quarterly and advisory bulletins will continue to include -01 and -05 sections, offering flexibility for partners. The format of the quarterly bulletin is expected to remain largely consistent, though it will naturally encompass a greater volume of fixes accumulated over the quarter. A new section will also be added to the bulletin header to prominently highlight any Advisory Class fixes. This change aims to minimize the impact on OEM patching processes; if an existing security update schedule already meets compliance requirements, it will remain valid.

This shift does not heighten security risks for non-critical issues, as the monthly "Advisory Class" bulletins ensure urgent matters are addressed promptly. While fixes are continuously developed and tested, this change primarily affects the reporting and release cadence of the full patch set. OEMs can now ship fixes in their builds even before they are officially included in the Android bulletin. If an OEM releases a fix early, they are permitted to reference it by its CVE and Android ID in their documentation.

It is recommended to review and adjust existing compliance policies to align with the new quarterly Android Security Bulletin cadence. This will ensure your policies accurately reflect the release schedule for comprehensive security updates. OEMs may choose to still release monthly updates. Please reach out to your OEMs for details on their planned release cycle.

Updated 5 days ago
In progress

3 Comments

  • Bigdogburr's avatar
    Bigdogburr
    Google Team
    9 minutes ago

    Thanks mattdermody​.  I am curious as this moves forward how you find the experience at your org and perhaps commentary from peers you have at other companies.

  • mattdermody's avatar
    mattdermody
    Level 2.3: Gingerbread
    20 hours ago

    Will be very interesting to see how the OEM's respond to this. Zebra and Honeywell have had a mostly monthly cadence of updates posted for many years, lagging slightly, but keeping in lockstep with the Android Security Bulletins. These updates were honestly too frequent for most end customers to be able to adopt regularly as testing, validation and deployment cycles often take longer than one month as it is. Therefore moving to a quarterly basis may actually increase likelihood of adoption. Despite being less frequent we may see a general improvement in security posture as the enterprises may be more capable to take the quarterly updates than they have been willing and able to take the monthly ones.  

    • Lizzie's avatar
      Lizzie
      Google Community Manager
      6 hours ago

      This is great to hear mattdermody​, thanks for sharing. Do keep us posted on how you find it going forward. 👍