There is one potential downside to the Risk-Based Update System, as highlighted by the folks behind GrapheneOS, a privacy and security-oriented fork of AOSP. In the past, Google gave OEMs a one-month heads-up. Now, they receive several months of advance notice for the larger quarterly updates. This longer window could be problematic, as it gives bad actors more time to potentially find leaked vulnerability details and develop exploits before patches are widely available. While the private ASB is shared securely, it’s accessible to tens of thousands of engineers across dozens of companies, making it conceivable that details could leak to malicious third parties. This remains a hypothetical risk, though, as it would require bad actors to leverage the right exploit on the right devices before they’re patched.
Ah, I thought I’d seen this story already: