Patch or we go public, says bug bounty program
TippingPoint's ZDI sets a 6-month deadline on vendors to encourage faster patching
Computerworld - The world's biggest bug bounty program today slapped a six-month deadline on vendors, saying it would release some vulnerability information, even if a patch wasn't ready.
"We're going to be enforcing a six-month deadline as general policy," said Aaron Portnoy, who leads the security research team at HP TippingPoint.
It's a major change for TippingPoint's Zero Day Initiative (ZDI), which buys vulnerabilities from independent security researchers, privately reports them to vendors and then uses the information to craft defenses for its own line of security appliances. Previously, ZDI's policy was to indefinitely withhold a vulnerability, publishing its information only after a patch had been issued.
Starting Wednesday, ZDI will give vendors six months to come up with a patch. Bugs currently in its queue get a deadline that's six months from now: Feb. 4, 2011.
If a fix isn't ready by the deadline, ZDI will pressure the vendor by issuing an advisory that will include what Portnoy called "limited details" of the vulnerability, as well as any workarounds ZDI can come up with to help protect users until a patch does appear.
But the new line in the sand is movable. "For vulnerabilities that may be more impactful, like ones in the core operating system, we will provide an extension on a case-by-case basis," Portnoy said in an interview. A vulnerability in the Windows kernel would be a good example of a candidate for extension.
"But if we provide an extension, we'll be totally transparent, and publish the full communications between us and the vendor once it's patched," Portnoy said.
The back-and-forth between security researchers and vendors, such as what Core Security has occasionally published when it's grown frustrated with Microsoft's patching pace, is sometimes as interesting, or even more so, than the actual bugs, giving everyone a behind-the-scenes look at how large software developers handle vulnerability reports.
Portnoy said the change had been a long-time coming, and wasn't directly connected to the debate over bug disclosure that heated up in early June when a Google employee went public with a critical Windows vulnerability just five days after reporting it to Microsoft.
"We've been thinking about this for quite a while," said Portnoy, arguing that the delays on the part of vendors put it ZDI in a tight spot. "We have to track some of these bugs for two years, three years, which slows us down."
Currently, ZDI is holding information on 31 critical bugs that it reported to vendors a year ago or longer. "[Vendors] have the responsibility to fix the issues," said Portnoy. "We shouldn't be held responsible for withholding information until they do."
Portnoy made it clear that part of the reason for the new deadline is to pressure the intransigent to patch. "By releasing some information, it puts the spotlight on vendors," Portnoy said.
He also argued that the secrecy over vulnerabilities may end up doing users a disservice. "There's been a lot of discovery overlap, where several [researchers] find the exact same vulnerability," said Portnoy. Immunity and Vulpen, two rival security firms, report bug discoveries only to their own customers, not to the vendors. "Some of what Immunity has could very well be among those we're sitting on right now," Portnoy added.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts