Bug bounty operator presses vendors to pick up patching pace

HP TippingPoint's 'Zero Day Initiative' will go public with bug information 120 days after reporting vulnerabilities to software makers

Citing the need to prod software vendors to patch vulnerabilities even faster, Hewlett-Packard's bug bounty program said it was shortening its patch-or-go-public policy to 120 days.

The Zero Day Initiative (ZDI), a researcher reward program run by HP's TippingPoint division, a maker of corporate intrusion prevention system (IPS) and firewall appliances, announced the new deadline at the RSA Conference, a massive security trade show and conference that wraps up today in San Francisco.

"One very clear way to push ourselves, and our partners, to increase our commitment to the contributing independent researchers who entrust us with their work, and most of all, to push our commitment to more secure computing, is to draw in our public disclosure deadline," said Shannon Sabens, a senior security content manager at TippingPoint, in a blog Wednesday announcing the change.

Starting with bug reports submitted by researchers on or after March 1, ZDI will ask affected vendors to issue a fix within 120 days of receiving the vulnerability report from the bounty program.

If a fix isn't released within 120 days, ZDI may pressure the vendor by issuing an advisory that will include limited details of the vulnerability, as well as any workarounds ZDI can come up with to help protect users until an official patch appears.

The deadline isn't new: ZDI instituted a 180-day patch-or-go-public policy in August 2010. But ZDI wants vendors to pick up the pace.

"Our purpose in changing the policy is to push vendors to decrease the amount of time it takes them to react to responsibly disclosed vulnerabilities and to reduce the attack surface faster," Sabens said.

Since the 2010 debut of the patch deadline, software makers have gotten faster at issuing security updates for the bugs ZDI hands them. "Overall, vendor timelines are greatly reduced," Sabens contended.

She cited some statistics to prove her point, saying that in 2010, 30% of the vulnerabilities given to vendors took longer than 180 days to patch. ZDI's current inventory consists of 175 unpatched vulnerabilities, with only 18, or about 10% of the total, with a reporting date of180 or more days ago.

ZDI buys vulnerabilities from independent security researchers -- it closely guards how much it pays -- and then turns over the information to the pertinent software maker. An unpatched flaw uncovered in Windows 8, for example, is handed to Microsoft's security team.

TippingPoint then creates detections for the vulnerabilities and adds them to its IPS line, thus protecting its customers before a patch is available.

ZDI is also known for sponsoring the annual Pwn2Own hacking contest, one of the most lucrative challenges each year. Slated to run March 12-13 at the CanSecWest security conference in Vancouver, British Columbia, Pwn2Own is in its eighth year.

Bugs used to win awards at Pwn2Own are treated the same way as those submitted to the bounty program throughout the year: Reports are sent to vendors and TippingPoint adds detections to its IPS appliances.

This year's Pwn2Own, which will be co-sponsored by Google, will put a record $645,000 in prize money on the table.

Vulnerabilities purchased by ZDI regularly surface in patches crafted by the biggest software vendors, including Microsoft and Apple. The most recent update to OS X Mavericks, for example, which Apple issued earlier this week, included fixes for three flaws in QuickTime that were reported by ZDI. Microsoft's February security updates included patches for 10 ZDI-submitted vulnerabilities, all but one of them in Internet Explorer (IE), Microsoft's browser.

According to the ZDI website's "Upcoming Advisories" page, 60 of the 175 unpatched bugs, or 34%, were 120 or more days old.

This article, Bug bounty operator presses vendors to pick up patching pace, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.


Copyright © 2014 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon