Google has quietly restructured one of the most important pillars of Android security – the monthly Android Security Bulletin (ASB). For years, Android users and manufacturers relied on these bulletins to see what vulnerabilities were fixed each month, but in mid-2024 something unusual caught the attention of observers: Pixel devices suddenly had no listed vulnerabilities in the July report, only to see a staggering 119 security issues detailed in the September edition. 
Far from being an oversight, this was the result of a deliberate shift in Google’s security release strategy.
The new dual-bulletin approach
Most Android users only ever encounter the public version of the Android Security Bulletin, published on the first Monday of each month. But behind the scenes, there is a second, private bulletin that gets distributed about a month earlier. This confidential report is shared directly with phone manufacturers and chip suppliers so they can test and prepare fixes before the details go public. What has changed recently is how much information Google now discloses in those public bulletins.
With the introduction of the Risk-Based Update System (RBUS), Google has stopped listing every patch every single month. Instead, the company only highlights the vulnerabilities considered “high risk” – those flaws that are either actively exploited in the wild or have the potential to be chained together with other weaknesses to give hackers deep system control. This means that while the July Pixel bulletin seemed empty, it was simply because no such immediate high-risk threats were discovered at the time. In contrast, the September flood of disclosures signaled a particularly urgent patch cycle.
Why this matters for different types of Android phones
Not every Android handset receives monthly patches. Premium devices such as Google’s Pixel line or Samsung’s Galaxy flagships tend to get frequent updates, but millions of mid-range and budget phones are updated far less often – quarterly, semi-annually, or in some cases not at all. That gap in protection is significant, because without timely security patches, users remain vulnerable to credential theft, account breaches, and even full device compromise.
By narrowing the focus of monthly bulletins to only the most dangerous vulnerabilities, Google hopes manufacturers can respond more quickly to truly urgent problems. At the same time, the larger bulk of patches can be bundled into quarterly updates, giving companies a more manageable workflow without compromising on emergency responsiveness. In practice, this means some months will have bulletins with no vulnerabilities listed – a stark contrast to the past, when every flaw, critical or minor, was disclosed monthly.
How Google defines “high risk”
It’s important to note that Google’s new “high risk” classification is not the same as the older “critical” or “high-severity” labels you might see in past reports. Instead, the company is prioritizing based on exploitation likelihood and systemic impact. A flaw that is part of an active exploit chain or is being used in real-world attacks will be elevated to high-risk status and patched immediately. Lower-level vulnerabilities, even if serious, may now wait for the next quarterly package.
Benefits and trade-offs for manufacturers
For phone makers, this approach reduces the constant struggle to push out endless monthly patches. Manufacturers now have a clearer path: focus resources on urgent issues as they arise, and schedule broader maintenance in quarterly updates. This could also allow them to deliver higher-quality monthly patches when they are required, since attention is focused only on the most dangerous flaws.
Take July as an example. Google’s bulletin for Pixel phones listed no security patches at all, though it did include two functional patches to fix bugs unrelated to security. Meanwhile, Samsung’s July security release was busier, with 17 Samsung Vulnerabilities and Exposures (SVEs) addressed by Samsung Mobile, along with additional fixes from Samsung Semiconductor. The comparison highlights how different manufacturers may interpret and act upon Google’s bulletin system.
What it means for everyday Android users
For most people, monthly security bulletins don’t stir much excitement. Pixel owners are generally far more eager for the quarterly Pixel Feature Drop that adds visible improvements, while functional patches fixing bugs are also welcomed. Security patches, by contrast, work quietly in the background. You don’t see a new icon, a redesigned menu, or a performance boost – you simply avoid becoming the victim of an attack you never knew was aimed at your device.
Still, security experts stress the importance of installing updates the moment they become available, whether they arrive monthly, quarterly, or even semi-annually. The sooner you apply them, the less time an attacker has to exploit vulnerabilities on your device. With Google’s new RBUS system, this urgency becomes even clearer: when a monthly update does appear, it’s because something high-risk truly demands your immediate attention.
In short, the Android security ecosystem is evolving. Google’s shift to a risk-based model reflects the challenges of protecting billions of devices across countless models and manufacturers. While some users may find it unsettling to see “empty” monthly reports, the real message is simple: not all vulnerabilities are equal, and Google is prioritizing the ones that matter most. For users, the takeaway remains timeless – install updates quickly, stay protected, and don’t mistake silence in a bulletin for safety in the digital world.