TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... In December of 2007, Microsoft released seven security bulletins which fixed 11 new security vulnerabilities. TippingPoint and ZDI were credited with discovering a total of four of those vulnerabilities.

ZDI Disclosure Policy Changes

As the 5th year anniversary of the TippingPoint ZDI program rolls around we have had a chance to reflect on the frequently changing vulnerability disclosure best practices utilized within our industry. From the days of no-disclosure, to full, to responsible, to coordinated, our policy has remained relatively the same. Throughout the lifetime of the ZDI we have maintained the same process of procurement and responsible disclosure to affected vendors. In doing so we have abided by these vendors' wishes to dictate the time period by which they are able to remediate reported vulnerabilities. Generally, this strategy has worked out well for both the vendor, ourselves, and ultimately, our customers.

However, as time goes by we are noticing indications that this process needs refinement. As can be seen from the ZDI Upcoming Advisories page, when the timeline is controlled by the affected vendor sometimes they are less than punctual with regard to patch time. As it stands right now there are currently 31 high-risk vulnerabilities reported by the ZDI over a year ago that are awaiting a patch from the vendor. We believe this places the end user unnecessarily at risk for an extended period of time.

This becomes even more true when we reflect upon the recent trend of vulnerability discovery overlap. With increasing frequency researchers on opposite sides of the globe are finding the same vulnerability within weeks of each other. It is also worth mentioning that many research firms are no longer disclosing vulnerabilities to vendors at all. Most notably VUPEN security and Immunity Sec pass on the discoveries they find to their customers alone, without reporting to the affected vendor. As such, we can only assume then that many of the bugs in our queue may be known about by others.

In an effort to coerce vendors to work with us on patching these issues more promptly, the ZDI is announcing a 6-month deadline going into effect on 08/04/10. This applies to all future vulnerabilities submitted through our program as well as all currently outstanding reports. This means that the first vulnerability report, if needed, will be disclosed on 02/04/11. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigations in an effort to enable the defensive community to protect the user. We believe that by doing so the vendor will understand the responsibility they have to their customers and will react appropriately.

We realize some issues may take longer than the deadline due to complexity and compatibility reasons and we are willing to work with vendors on a case-by-case basis. To maintain transparency into our process, if any vulnerability is given an extension we plan on publishing the communication we've had with the vendor regarding the issue once it is patched. We hope that this level of insight into our process will allow the community to better understand some of the difficulties vendors have when remediating high-impact bugs.



Aaron Portnoy
Manager, Security Research

Tags:
Published On: 2010-08-03 15:21:11

Comments post a comment

  1. Larry Seltzer commented on 2010-08-03 @ 15:46

    I added a table of the worst offenders in the Upcoming Advisories list to my own writeup on this. - http://blogs.pcmag.com/securitywatch/2010/08/hp_zdi_to_set_vulnerability_di.php

  2. Andrew Wallace commented on 2010-08-04 @ 15:21

    A deadline of six months or the entire internet gets hacked, according to TippingPoint.

    I can't wait for the court cases...

  3. mandrel commented on 2010-08-08 @ 22:38

    good post,thank you for share


Links To This Post

  1. TippingPoint setzt Frist für Sicherheits-Fixes » für, Schwachstellen, über, Softwareanbieter, Fehler, TippingPoint » secure one
    linked on 2010-08-04 @ 14:12 Show Comment

    Der Sicherheitsspezialist TippingPoint setzt Softwareanbietern ab sofort eine Frist von sechs Monaten, um Schwachstellen zu schließen, die über seine Zero Day Initiative (ZDI) gemeldet wurden. Das kündigt TippingPoints Manager für Sicherheitsforschung, Aaron Portnoy, in einem Blogeintrag an.

  2. TippingPoint setzt Frist fr Sicherheits-Fixes - Security | News | ZDNet.de
    linked on 2010-08-04 @ 10:12 Show Comment

    Der Sicherheitsspezialist TippingPoint setzt Softwareanbietern ab sofort eine Frist von sechs Monaten, um Schwachstellen zu schlieen, die ber seine Zero Day Initiative (ZDI) gemeldet wurden. Das kndigt TippingPoints Manager fr Sicherheitsforschung, Aaron Portnoy, in einem Blogeintrag an.

  3. Pressure mounts for a swifter response to vulnerabilities
    linked on 2010-08-04 @ 17:38 Show Comment

    ... it comes to releasing patches. After Google announced that it will in future give software vendors just 60 days to patch security vulnerabilities before public disclosure, the Zero Day Initiative (ZDI), part of Hewlett-Packard / TippingPoint, has announced that, with immediate effect, it will limit the period for developing security updates to six months. However, the ZDI says that it will grant extensions to this deadline in special cases. Previously ZDI did not implement a time limit, instead allowing vendors to take as long as they wanted to develop a patch following notification of a vulnerability and only releasing information once a patch had been distributed. The result of this policy is in an eye-watering list of outstanding patches from major vendors such as Apple, IBM, Microsoft and Symantec. IBM, for example, appears not to have lifted a finger to fix a critical vulnerability reported three years ago. Ironically, Hewlett-Packard also ...

  4. Leading Bug Bounty Program Threatens Lazy Vendors with Public DisclosuresKeyboard Failure | Keyboard Failure
    linked on 2010-08-05 @ 23:30 Show Comment

    “As the 5th year anniversary of the TippingPoint ZDI program rolls around we have had a chance to reflect on the frequently changing vulnerability disclosure best practices utilized within our industry. From the days of no-disclosure, to full, to responsible, to coordinated, our policy has remained relatively the same,” Aaron Portnoy, manager of security research at HP TippingPoint, wrote in a blog post Wednesday.

  5. Information Technology Leader » Blog Archive » Leading Bug Bounty Program Threatens Lazy Vendors with Public Disclosures
    linked on 2010-08-06 @ 01:20 Show Comment

    “As the 5th year anniversary of the TippingPoint ZDI program rolls around we have had a chance to reflect on the frequently changing vulnerability disclosure best practices utilized within our industry. From the days of no-disclosure, to full, to responsible, to coordinated, our policy has remained relatively the same,” Aaron Portnoy, manager of security research at HP TippingPoint, wrote in a blog post Wednesday.

  6. TippingPoint تمهل الشركات 6 أشهر فقط قبل أن تكشف عن الثغرات التي لم يرقعوها | الخلاصات العربية
    linked on 2010-08-06 @ 05:14 Show Comment

    لقراءة التدوينة الأصلية يمكن مراجعة الرابط التالي.


Trackback