The world's biggest bug bounty program today slapped a six-month deadline on vendors, saying it would release some vulnerability information, even if a patch wasn't ready.
"We're going to be enforcing a six-month deadline as general policy," said Aaron Portnoy, who leads the security research team at HP TippingPoint.
It's a major change for TippingPoint's Zero Day Initiative (ZDI), which buys vulnerabilities from independent security researchers, privately reports them to vendors and then uses the information to craft defenses for its own line of security appliances. Previously, ZDI's policy was to indefinitely withhold a vulnerability, publishing its information only after a patch had been issued.
Starting Wednesday, ZDI will give vendors six months to come up with a patch. Bugs currently in its queue get a deadline that's six months from now: Feb. 4, 2011.
If a fix isn't ready by the deadline, ZDI will pressure the vendor by issuing an advisory that will include what Portnoy called "limited details" of the vulnerability, as well as any workarounds ZDI can come up with to help protect users until a patch does appear.
But the new line in the sand is movable. "For vulnerabilities that may be more impactful, like ones in the core operating system, we will provide an extension on a case-by-case basis," Portnoy said in an interview. A vulnerability in the Windows kernel would be a good example of a candidate for extension.
"But if we provide an extension, we'll be totally transparent, and publish the full communications between us and the vendor once it's patched," Portnoy said.
The back-and-forth between security researchers and vendors, such as what Core Security has occasionally published when it's grown frustrated with Microsoft's patching pace, is sometimes as interesting, or even more so, than the actual bugs, giving everyone a behind-the-scenes look at how large software developers handle vulnerability reports.
Portnoy said the change had been a long-time coming, and wasn't directly connected to the debate over bug disclosure that heated up in early June when a Google employee went public with a critical Windows vulnerability just five days after reporting it to Microsoft.
"We've been thinking about this for quite a while," said Portnoy, arguing that the delays on the part of vendors put it ZDI in a tight spot. "We have to track some of these bugs for two years, three years, which slows us down."
Currently, ZDI is holding information on 31 critical bugs that it reported to vendors a year ago or longer. "[Vendors] have the responsibility to fix the issues," said Portnoy. "We shouldn't be held responsible for withholding information until they do."
Portnoy made it clear that part of the reason for the new deadline is to pressure the intransigent to patch. "By releasing some information, it puts the spotlight on vendors," Portnoy said.
He also argued that the secrecy over vulnerabilities may end up doing users a disservice. "There's been a lot of discovery overlap, where several [researchers] find the exact same vulnerability," said Portnoy. Immunity and Vulpen, two rival security firms, report bug discoveries only to their own customers, not to the vendors. "Some of what Immunity has could very well be among those we're sitting on right now," Portnoy added.