Tuesday, August 3, 2010

ZDI Disclosure Deadline: Putting Pressure on Tardy Software Vendors

Via ZDnet.com -

Looking to put pressure on software vendors who procrastinate of fixing security flaws, the world’s biggest broker of vulnerability data is drawing a line in the sand.

Starting tomorrow (August 4, 2010), TippingPoint’s Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.

TippingPoint, a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors, says the new six-month deadline will apply to all currently outstanding issues.

“We have about 31 outstanding issues that are more than a year old. We believe that’s an unacceptable window of exposure [to risk],” says Aaron Portnoy (left), manager of the security research team at TippingPoint Technologies.

For example, according to ZDI’s public upcoming advisories listing, there are at least a half-dozen high-risk vulnerabilities affecting IBM software that are more than 600 days outstanding.

Microsoft, RealNetworks, Symantec, CA and Novell are also among the most tardy vendors, according to ZDI’s list.

There are about 90 vulnerabilities in TippingPoint’s queue that are more than six months old.

Portnoy says the company may extend the six-month deadline “on a case-by-case basis” if there is evidence that there are technical complications to shipping patches within that time frame. In cases where extensions are granted, ZDI will publicly document the entire communication process with the affected vendor to ensure there is transparency with affected users.

However, once the deadline expires, ZDI plans to publish a limited advisory with details about the vulnerability and affected software to help the defensive/security community come up with applicable mitigations. ”We want to make sure this window of risk is reduced and help people protect their systems.

ZDI won’t be releasing full technical details of the flaws or proof-of-concept/exploit code.

We think this will push vendors in the right direction,” Portnoy said in an interview.


Releasing limited information about the vulnerability to help simulate discussion on possible threat mitigation is a very positive thing. Kudos to ZDI for putting the security of the community first.

No comments:

Post a Comment