They’re not releasing the list of vulnerabilities each month but instead doing it quarterly, so how are custom ROM devs supposed to patch vulnerabilities if google isn’t reporting them to manufacturers and developers like they’ve done for over a decade now?
Given how large and complex the Android operating system and its underlying components are, it’s not unusual to see a dozen or more vulnerabilities documented in a bulletin. However, the July 2025 bulletin broke this decade-long trend: out of the 120 bulletins published up to that point, it was the first ever to not list a single vulnerability.
Instead of bundling all available security patches into the next ASB, Google now prioritizes shipping only “high-risk” vulnerabilities in its monthly releases. The majority of security fixes, meanwhile, will be shipped in quarterly ASBs.
https://www.androidauthority.com/android-risk-based-security-updates-3597466/
They’re not releasing the list of vulnerabilities each month but instead doing it quarterly, so how are custom ROM devs supposed to patch vulnerabilities if google isn’t reporting them to manufacturers and developers like they’ve done for over a decade now?
“Android Security Bulletins will still be released, and picked to all supported LineageOS versions monthly.” LineageOS