madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

New vulnerability disclosure deadline puts pressure on tardy software vendors

By | August 3, 2010, 12:50pm PDT

Summary: TippingPoint’s Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.

Looking to put pressure on software vendors that procrastinate on fixing security flaws, the world’s biggest broker of vulnerability data is drawing a line in the sand.

Starting tomorrow (August 4, 2010), TippingPoint’s Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.

TippingPoint, a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors, says the new six-month deadline will apply to all currently outstanding issues.

“We have about 31 outstanding issues that are more than a year old.  We believe that’s an unacceptable window of exposure [to risk],” says Aaron Portnoy (left), manager of the security research team at TippingPoint Technologies.

For example, according to ZDI’s public upcoming advisories listing, there are at least a half-dozen high-risk vulnerabilities affecting IBM software that are more than 600 days outstanding.

Microsoft, RealNetworks, Symantec, CA and Novell are also among the most tardy vendors, according to ZDI’s list.

There are about 90 vulnerabilities in TippingPoint’s queue that are more than six months old.
Portnoy says the company may extend the six-month deadline “on a case-by-case basis” if there is evidence that there are technical complications to shipping patches within that time frame.  In cases where extensions are granted, ZDI will publicly document the entire communication process with the affected vendor to ensure there is transparency with affected users.
follow Ryan Naraine on twitter
However, once the deadline expires, ZDI plans to publish a limited advisory with details about the vulnerability and affected software to help the defensive/security community come up with applicable mitigations.  ”We want to make sure this window of risk is reduced and help people protect their systems.

ZDI won’t be releasing full technical details of the flaws or proof-of-concept/exploit code.

We think this will push vendors in the right direction,” Portnoy said in an interview.

The ZDI program is very popular with hackers looking to cash in on their research in a legitimate marketplace.  Instead of reporting software flaws to vendors, researchers can sell that data to TippingPoint in a way where the information is given to the affected vendor so that patches can be created and deployed.

“We’re doubling the number of vulnerabilities in the program,” Portnoy said.  In 2009, the company published 101 advisories and for the first seven months of this year, there have already been 137 advisories released by ZDI.

“We need to implement this deadline to help track the sheer quantity of security bugs coming in,” Portnoy said.  ”It’s becoming a bit of a burden on us to track these old, outstanding issues.  There’s a bit of an inefficiency seepage that slows down the time we have to work on new issues coming into our program.”

Portnoy also pointed to “overlapping discoveries” that appear to be on the increases.  In these cases, multiple security researchers are discovering the same security vulnerability in the same piece of software.

“There’s overlap with other research programs, there’s overlap in the same submissions coming in to us.  If we’re seeing this frequently, we have to assume that others have found — or already know about — the outstanding issues.  That’s a problem,” Portnoy said.

In some cases, he speculates that a lot of the same vulnerability information is being traded on the private, underground vulnerability market.  In those scenarios, the vulnerabilities are almost never reported to the vendor.  ”There’s overlap everywhere so when vendors take a year or two years to ship a patch, we have to assume there’s a big window of exposure that puts everyone at risk.”

Some other bug finders, like VUPEN and Immunity, never disclose vulnerabilities to affected vendors, setting up situations where patches are never created and businesses and consumers are exposed to unknown risk.

“With this new disclosure policy, we’re hoping to eliminate not only our outstanding issues, but those [assumed] outstanding issues,” he said.

The six-month deadline is by far the most lenient among research teams who report flaws to vendors.   The US-CERT uses a 45-day disclosure policy and Google’s security team recently said it would release details if vendors fail to fix a flaw within 60 days.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Vulnerability, Patch Management, TippingPoint Technologies, Vulnerability Disclosure Deadline, Portnoy, Zero Day Initiative Program, US-CERT, Security, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 21 Talkback(s)

  • A year?
    One year is far too long. 6 months should be enough, but only for some patches. Most patches in non-critical parts of systems should be closed within 2 months.
    ZDNet Gravatar
    honeymonster
    3rd Aug 2010
  • If you use Ubuntu Linux with AppArmor, this becomes a non-issue
    nt
    ZDNet Gravatar
    Dietrich T. Schmitz, ~ Your Linux Advocate
    3rd Aug 2010
  • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors
    @Dietrich T. Schmitz, Your Linux Advocate

    Umm no it is still and issue the last time i checked linux is an OS which is software which has flaws like any other. Any no i am not getting into the semantics of linux has more or less then Apple or MS. You and Love My rocks off need to quit posting so much fan boy crap and stick to educated postings not fan rant.
    ZDNet Gravatar
    MLHACK
    3rd Aug 2010
  • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors
    @Dietrich T. Schmitz, Your Linux Advocate

    ya ubuntu is so stinking good Dell removed it from there web store last week HAHAHAHHAHHAHAH

    Ubuntu is a non issue for sure
    ZDNet Gravatar
    Stan57
    3rd Aug 2010
  • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors
    @Stan57

    Hmmm... maybe I don't understand quite completely, but I was able to find Computers on the Dell site that offer Ubuntu rather easily.

    Anyways, Why not use openSUSE or SUSE Enterprise Linux and get AppArmor form the people who made it (i.e. Novell)?
    ZDNet Gravatar
    hito_kiri
    6th Aug 2010
  • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors
    FALSE, because when you have a flaw in the linux kernel, apparmor can't save your ass.
    ZDNet Gravatar
    directory
    4th Aug 2010
  • sooo no.
    @directory that's usually human error; by tinkering with the system.
    i've been using Ubuntu for 5 yrs now and I haven't had much trouble at all.
    ZDNet Gravatar
    jacky.alcine
    16th Aug 2010
  • So truee
    @Dietrich T. Schmitz, Your Linux Advocate

    That's so true; viruses are jokes to Ubuntu.
    ZDNet Gravatar
    jacky.alcine
    16th Aug 2010
  • What is the discussion about Google releasing Microsoft vulnerabilities?
    Google is giving even less time (a week?) about Microsoft vulnerabilities...
    ZDNet Gravatar
    Roque Mocan
    3rd Aug 2010
  • Microsoft will sue these companies.
    Microsoft will tell all these vendors trying to dictate to them when to issue a patch to get lost.

    Look what happened with Tavis Ormandy, Microsoft said no to 60 days, so Ormandy released the technical details to the public domain within 5 days.

    All thats going to happen here, is a bunch of companies such as TippingPoint releasing vulnerabilities to the public domain when no patch is available and get sued by Microsoft for it.
    ZDNet Gravatar
    n3td3v
    3rd Aug 2010
  • Don't let facts get in your way
    @n3td3v

    Microsoft *never* said "no" to mr. Ormandy. This is what happened:
    1) Ormandy reported vuln to MS on a saturday, informing them that he expected them to commit to a 60 days deadline for a patch.
    2) Tuesday (a busy patch tuesday) MS got back to Ormandy and told him they would be able to lay out at schedule with him the upcoming friday - after having analyzed the problem.
    3) Wednesday Ormandy went public. He also designed a "fix" - which ironically validate the concerns that a rushed fix may do more harm than good, since his fix was ineffective an easily circumvented according to independent security company Secunia.
    4) Within 6 days real attacks commence. Attack code show parts of Ormandys proof-of-concept code has been copied.

    And then your claim that Microsoft will sue. Microsoft has never sued a researcher, nor have they indicated any desire to do so. You are spreading FUD.
    ZDNet Gravatar
    honeymonster
    3rd Aug 2010
  • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors
    @honeymonster

    ""Microsoft has never sued a researcher, nor have they indicated any desire to do so.""

    There is a BIG difference between individual researchers going Full-disclosure and a vendor such as TippingPoint with a lot of money to lose going Full-disclosure.

    Indeed, Microsoft haven't sued individual researchers, as individual researchers have next to no money to lose, however big vendors such as TippingPoint owned by HP, do.
    ZDNet Gravatar
    n3td3v
    3rd Aug 2010
  • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors
    @n3td3v
    They won't have a choice but to sue. I can't believe Ormandy is still employed after what happened. I'm still waiting for Microsoft to put some pressure on him and on Google for their negligence.
    ZDNet Gravatar
    Loverock Davidson
    3rd Aug 2010
  • David Freer (VP, Symantec - Norton, APJ) is a BIG LIAR!
    David Freer (VP, Symantec Consumer Business Units - Norton, APJ) is a BIG LIAR! He lied to me for more than two and half years for my true feelings, time, and money. Also kept saying I am the only one in his life. Even this year on Feb. 2, he used company line to lead me to have phone sex with him. Until I found out there?s some other woman, he made up another lie and finally admitted he?s been living with her for a year. Later, I realized they were all lies. He actually has married March 2009. And now he just totally disappeared and not answering any phone calls, acting like ?hit & run? irresponsible baby. Can you trust someone like this, with no ethics and integrity? The more unbelievable things are David Freer newly-wed wife - SUZY WALSHAM, she shamefully admitted she was the third person who broke up David Freer & his ex 12 years relationships, and mocking at me as the 3rd "unsuspected" person, as she agreed with his husband?s behaviors!!!!!! SHAME ON both of you, DAVID FREER & SUZY WALSHAM!!!!!!! (THEY BOTH WORK FOR SYMANTEC)
    ZDNet Gravatar
    strela825
    3rd Aug 2010
  • What kind of company Symantec really is?
    As I have reported to Symantec Ethics about David Freer?s (VP, Symantec ? Norton, APJ) misconducts (fraud, having dissented sex with me as he lied, using company resources for personal benefits ? hundreds hours phone calls, hanging out with me during office hours, negative impacts on Symantec corporate image), what they do surprise me too. They basically ignore ? never process the investigation, covering the serial lying & cheating criminal up, then threaten me. As Warren Buffet said when he decides which company is worth to invest, he values the CEO?s ethic and integrity the most. Being a senior management, David Freer shall walk the talks, instead he has set up a terrible example. How dare Symantec always campaign the company itself as defeat cyber criminals, but in the real world, Symantec acts just like robbers, mafia, & criminals. How ironic!
    ZDNet Gravatar
    strela825
    3rd Aug 2010
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here