Google is changing how Android's security patches publishes. From now on, the system will prioritize the vulnerabilities of “high risk” to solve them in the MONTHLY BULLETINwhile the rest of the failures will go to quarterly updates bigger. The objective is clear: reduce the load for manufacturers and get patches to reach more mobile, with greater consistency without sacrificing protection against real threats.
This turn comes after an atypical summer. In July 2025, for example, the Android Monthly Bulletin did not include vulnerabilities, and in September A very bulky package with dozens of corrections was published. The new approach called “Risk -Based Update System” (Rbus) works as a triage: It is immediately corrected what is actively exploited or is part of attack chains and the least urgent is grouped for quarterly patches.
What changes in Android security patches
Until now, Google published a MONTHLY BULLETIN With all corrected vulnerabilities, Low, moderate, high or criticism. With Rbus, the monthly newsletters They will only include failures that Google classifies as “High risk” depending on the real impact and of exploitation level. Everything else will accumulate for a quarterly cycle (March, June, September and December) that will be more forceful in volume.
For the manufacturers (OEM)this implies less patches than integrating and testing every month, which can facilitate that marks with very wide catalogs and heavy customization layers more predictable terms. And as quarterly packages concentrate most corrections, Google encourages at least the devices to maintain a quarterly rhythm of security updates.
This change coexists with the modularization of Android through Project Mainline and with them Google Play system updateswhich allow Google to display certain corrections directly from Google Play Without waiting for the OEM. In practice, the user will see two flows: monthly patches when there are problems priorityand quarterly packages that will cover the Great majority of vulnerabilities.
How does it affect you if you have an Android mobile
If you already receive Monthly updates Of your brand, you should not notice great changes: they will continue to arrive when there are vulnerabilities of High risk What to attend. You will see the difference in the quarterwith more number of corrections patches. For those who only had patches bimonnsual or quarterlythis model can translate into more regularity and in one faster response to critical threats.
Another aspect to keep in mind is that there is a month “blank” In the bulletin it does not mean that Android is unprotected; simply that Google does not consider it necessary to disseminate (or force to integrate) corrections that are not priority then. In addition, other actors such as Samsung either Qualcomm They can continue publishing their own newsletters and patches, even if the Android newsletter is empty.
In the ecosystem Pixelthe specific newsletter may not include security patches and limit functional improvementswhile the bulk of the corrections arrives in the following quarterly cycle. It is a sign of that Calendar readjustment that seeks to focus the shot in what matters most for user security.
Reasonable doubts: transparency, leaks and roms
Not everything is advantages. Several security experts have indicated possible Collateral risks. When giving More margin To the OEM to integrate large packages quarterlythere is more time for technical details They end up leaketing before all devices are paveled. It is a hypothetical, but plausible scenario, given the amount of equipment that has access to private newsletters.
Another collateral effect is for the ROMS community and projects derived from AOSP, which historically depended on Source Code that Google published with each monthly cycle. With the focus on the quarterlythese projects can find more difficult maintain a monthly pace rhythm with the open source available. It is an aspect to take into account for those who opt for alternatives to the official versions of the manufacturers.
A change designed to accelerate the patches, if the OEM fulfill
In practical terms, the risk -based model makes sense: dedicates resources to what Yes it is exploding and reduces friction so that manufacturers They are not drowned every month. The great unknown is whether all brands will take advantage of this margin to be more agile or if they will continue to postpone the quarterly patches.
For users, the Council does not change: keep your mobile updated, activate the Automatic updates whenever possible and don't neglect the updates of Google Play. What do you think of this Google turn? Do you think it will help the patches reach your mobile before or prefer the classical monthly scheme, with all listing every month?
