chromium/docs/security/updates.md

# Chrome Security Update FAQ

_Bookmark this page as https://g.co/chrome/security-update-faq_

## TL:DR

Almost all Chrome updates contain security fixes, and should be prioritized
equally. The most secure option is to automatically update Chrome as soon as any
update is available, independent of the specific details of any security fixes
included in the update.

## Chrome Updates

Almost all updates have security fixes. Every week, Chrome releases a new
version that materially improves security. The Chrome Security team believes the
best option for security is to apply all updates to Chrome as soon as they are
available. We recommend against and do not support using the security release
notes as a method to prioritize updates. Instead, all updates should be
prioritized equally, and considered to be important security fixes.

Patching, remediating, and protecting against security vulnerabilities is a core
part of the Chrome engineering process. The Chrome Security team works to
protect Chrome users and make it safe to click on links by building features and
architecting systems to defend against exploitation, network tampering, malware
and phishing. Every release of Chrome includes not just security patches, but
new security features and other defensive improvements developed by the Chrome
Security team.

Chrome releases [stable milestones][release-cycle] every four weeks (MXXX), with “refresh”
releases in-between milestones. Milestones are refreshed with updates that can
contain security fixes and functional bug fixes for high-impact bugs. There are
planned security refreshes weekly for every milestone, with all of the
security fixes since the previous release. Chrome may have unscheduled updates
between milestones to fix critical security issues, address breaking functional
bugs, or patch known in-the-wild exploits. Updates and rapid response are part
of the Chrome security development lifecycle, and Chrome invests in its ability
to quickly refresh a release when needed. While we do try to reduce the number
of unplanned updates, these releases are an important part of how Chrome works
to secure its users, and are an example of Chrome’s vulnerability reporting and
security engineering processes working as intended.

## FAQ

**Are security fixes included in every new milestone release?** Yes.

**How do I avoid compatibility issues with web platform changes if I automatically
update Chrome?** Breaking changes to the web platform are communicated in the
[enterprise release notes][ent-rel-notes]. For changes that may cause
compatibility issues, Chrome includes a temporary enterprise policy to maintain
the old behavior for several milestones beyond the change, which gives
enterprises time to address compatibility issues. To proactively identify these
issues, we recommend enterprises test their critical workflows, or have a cohort
of users running the Beta version of Chrome.

You can read more details and best practices on the [Chrome Update Management
Strategies][update-strategy] technical doc.  Enterprises can also reach out to their [support
representatives][ent-support] for help, or [file an issue][issue-tracker] if they identify a
bug in a new version of Chrome.

**How do I prioritize updates that patch vulnerabilities known to be under
exploitation in the wild (zero-days)?** Don't---this strategy puts you at risk.
Security fixes are important regardless of whether or not there is known
exploitation. There are two main reasons for this:

First, we know that we do not have full visibility into every exploit in the
wild. Chrome has an industry-leading multi-layered approach to finding possible
exploits, including code reviews, testing and fuzzing, working with researchers
and external organizations, and a vulnerability rewards program. However, it's
impossible to guarantee that a fixed vulnerability was never exploited in the
wild, so you should always roll out the fix.

Second, vulnerabilities may be exploited after our fix is rolled out. Exploiting
patched vulnerabilities in unpatched installations is known as N-day
exploitation, and it gets easier and cheaper for attackers after we’ve made a
fix available in a new version. If you don't update, you're putting your
organization at risk of N-day exploits, which are much more accessible to bad
actors than 0-day exploits.

Remember, a bug is only regarded as a security bug if we consider it
exploitable, so we recommend Chrome users treat all security fixes with equal
priority and always patch their installation. The [best defense][cisa-patches] against attackers
exploiting patched vulnerabilities in Chrome is to automatically update Chrome
whenever an update is available.

**I've noticed that Chrome has a lot of security updates. Does that mean something
is wrong?** No. Fast and frequent updates are one of Chrome's security strengths.
We've spent years building advanced release infrastructure in order to increase
the number of security updates you receive, and the frequency that we can send
them out. This keeps you a step ahead of bad actors.

**Updating every week (or more) is a lot of work. How can my IT department
keep up?** Chrome is designed to be easy for IT admins to manage and update. If
you're finding that it's a lot of work to keep up with Chrome's update schedule,
there's a good chance that there's an easier way to accomplish your goals.
Enterprises that disable auto-updates and instead roll out manual updates are
both decreasing their security and greatly increasing the amount of work they
have to do.

Read through different update strategies and best practices on the [Chrome Update
Management Strategies][update-strategy] technical doc.

**Is it possible that a Chrome update could address a functional bug, and no
security bugs?** Yes, there are releases containing only functional fixes. When
this occurs, there are no security fix notes for the corresponding desktop stable
release.

**How do I know what security fixes are included in a specific Android Chrome
release?** Android releases contain the same security fixes as their
corresponding desktop release (first three segments of the version number are
the same), unless otherwise noted.

**How do I know what security fixes are included in a specific Chrome on iOS
release?** Due to Apple platform limitations, the browsing engine for Chrome on
iOS is Webkit, which is also used by Safari. Apple maintains Webkit and tracks
security issues as part of their iOS release process. To receive WebKit security
fixes, users should always update iOS to the latest version. Whenever possible,
Chrome will ship patches on iOS to mitigate issues in Webkit. In the event of a
Chrome on iOS specific security flaw, Chrome will note the fix in the release
notes for the corresponding desktop release.

**My product includes one of Chrome's components (such as V8 or WebRTC). How
can I absorb security fixes?** As with Chrome itself, you should assume that
all security fixes are important and arrange to include them in your product.
We recommend tracking Chrome's "stable" branch - more recent branches may have
a higher density of ephemeral security bugs which we will fix before shipping
to stable. For some of Chrome's components (such as WebRTC) security bugs are
relatively infrequent and it may be possible to manually absorb new versions
as necessary by monitoring Chrome release notes. For others (such as V8)
security bugs are so frequent that the better strategy is to absorb a new
version of the component every week. For these components, Chrome does not
support making update decisions based upon the exact security content of the
release - instead, just take a new version each week.

[release-cycle]: https://chromium.googlesource.com/chromium/src/+/main/docs/process/release_cycle.md
[ent-rel-notes]: https://support.google.com/chrome/a/answer/7679408
[update-strategy]: https://support.google.com/chrome/a/answer/9982578
[ent-support]: https://chromeenterprise.google/browser/support/
[issue-tracker]: https://issues.chromium.org
[cisa-patches]: https://www.cisa.gov/tips/st04-006
[chrome-versions]: https://www.chromium.org/developers/version-numbers/
[rel-dash]: https://chromiumdash.appspot.com/releases?platform=Windows