Danny Weber
23:01 13-10-2025
© B. Naumkin
Google now withholds Android vulnerability details for up to 3 months, sending patches first to OEMs under NDA, impacting security researchers and custom ROMs.
Google has overhauled how it discloses vulnerabilities and distributes security patches for Android. From now on, security updates will first go only to hardware makers (OEMs) that sign a non-disclosure agreement (NDA).
Under the new rules, the source code of fixes may not be published for three months after an update is received. During that window, vendors can ship only binary builds with the patches, without revealing technical details. In practice, this slows the usual cadence of transparency and keeps early visibility limited to a small circle of partners.
Previously, Google released full vulnerability reports alongside the monthly Android Security bulletins. For instance, the September 2025 list included 114 identified issues, while the October update omitted their descriptions entirely. The contrast is hard to miss.
The shift was first spotted by the GrapheneOS team, the privacy-focused independent Android distribution. The project argues the new policy will make life harder for independent security researchers and custom ROM developers, who rely on timely technical data to react quickly.
Google, for its part, says the temporary restriction aims to raise overall security by preventing attackers from quickly analyzing patches and exploiting vulnerabilities before official updates land. The company describes the approach as a security-through-obscurity strategy—an emphasis on withholding details until fixes are broadly deployed.
To keep shipping timely updates, GrapheneOS has already struck a partnership with a manufacturer that receives patches directly from Google under the new system. It’s a pragmatic workaround, but one that underscores how access now hinges on formal agreements rather than open documentation.