New vulnerability disclosure deadline puts pressure on tardy software vendors

New vulnerability disclosure deadline puts pressure on tardy software vendors

Summary: TippingPoint's Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.

SHARE:
TOPICS: Security
19

Looking to put pressure on software vendors that procrastinate on fixing security flaws, the world's biggest broker of vulnerability data is drawing a line in the sand.

Starting tomorrow (August 4, 2010), TippingPoint's Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.

TippingPoint, a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors, says the new six-month deadline will apply to all currently outstanding issues.

"We have about 31 outstanding issues that are more than a year old.  We believe that's an unacceptable window of exposure [to risk]," says Aaron Portnoy (left), manager of the security research team at TippingPoint Technologies.

For example, according to ZDI's public upcoming advisories listing, there are at least a half-dozen high-risk vulnerabilities affecting IBM software that are more than 600 days outstanding.

Microsoft, RealNetworks, Symantec, CA and Novell are also among the most tardy vendors, according to ZDI's list.

There are about 90 vulnerabilities in TippingPoint's queue that are more than six months old. Portnoy says the company may extend the six-month deadline "on a case-by-case basis" if there is evidence that there are technical complications to shipping patches within that time frame.  In cases where extensions are granted, ZDI will publicly document the entire communication process with the affected vendor to ensure there is transparency with affected users. follow Ryan Naraine on twitter However, once the deadline expires, ZDI plans to publish a limited advisory with details about the vulnerability and affected software to help the defensive/security community come up with applicable mitigations.  "We want to make sure this window of risk is reduced and help people protect their systems.

ZDI won't be releasing full technical details of the flaws or proof-of-concept/exploit code.

We think this will push vendors in the right direction," Portnoy said in an interview.

The ZDI program is very popular with hackers looking to cash in on their research in a legitimate marketplace.  Instead of reporting software flaws to vendors, researchers can sell that data to TippingPoint in a way where the information is given to the affected vendor so that patches can be created and deployed.

"We're doubling the number of vulnerabilities in the program," Portnoy said.  In 2009, the company published 101 advisories and for the first seven months of this year, there have already been 137 advisories released by ZDI.

"We need to implement this deadline to help track the sheer quantity of security bugs coming in," Portnoy said.  "It's becoming a bit of a burden on us to track these old, outstanding issues.  There's a bit of an inefficiency seepage that slows down the time we have to work on new issues coming into our program."

Portnoy also pointed to "overlapping discoveries" that appear to be on the increases.  In these cases, multiple security researchers are discovering the same security vulnerability in the same piece of software.

"There's overlap with other research programs, there's overlap in the same submissions coming in to us.  If we're seeing this frequently, we have to assume that others have found -- or already know about -- the outstanding issues.  That's a problem," Portnoy said.

In some cases, he speculates that a lot of the same vulnerability information is being traded on the private, underground vulnerability market.  In those scenarios, the vulnerabilities are almost never reported to the vendor.  "There's overlap everywhere so when vendors take a year or two years to ship a patch, we have to assume there's a big window of exposure that puts everyone at risk."

Some other bug finders, like VUPEN and Immunity, never disclose vulnerabilities to affected vendors, setting up situations where patches are never created and businesses and consumers are exposed to unknown risk.

"With this new disclosure policy, we're hoping to eliminate not only our outstanding issues, but those [assumed] outstanding issues," he said.

The six-month deadline is by far the most lenient among research teams who report flaws to vendors.   The US-CERT uses a 45-day disclosure policy and Google's security team recently said it would release details if vendors fail to fix a flaw within 60 days.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • A year?

    One year is far too long. 6 months should be enough, but only for some patches. Most patches in non-critical parts of systems should be closed within 2 months.
    honeymonster
  • If you use Ubuntu Linux with AppArmor, this becomes a non-issue

    nt
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors

      @Dietrich T. Schmitz, Your Linux Advocate

      Umm no it is still and issue the last time i checked linux is an OS which is software which has flaws like any other. Any no i am not getting into the semantics of linux has more or less then Apple or MS. You and Love My rocks off need to quit posting so much fan boy crap and stick to educated postings not fan rant.
      MLHACK
    • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors

      @Dietrich T. Schmitz, Your Linux Advocate

      ya ubuntu is so stinking good Dell removed it from there web store last week HAHAHAHHAHHAHAH

      Ubuntu is a non issue for sure
      Stan57
      • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors

        @Stan57

        Hmmm... maybe I don't understand quite completely, but I was able to find Computers on the Dell site that offer Ubuntu rather easily.

        Anyways, Why not use openSUSE or SUSE Enterprise Linux and get AppArmor form the people who made it (i.e. Novell)?
        hito_kiri
    • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors

      FALSE, because when you have a flaw in the linux kernel, apparmor can't save your ass.
      directory
      • sooo no.

        @directory that's usually human error; by tinkering with the system.
        i've been using Ubuntu for 5 yrs now and I haven't had much trouble at all.
        jacky.alcine
    • So truee

      @Dietrich T. Schmitz, Your Linux Advocate

      That's so true; viruses are jokes to Ubuntu.
      jacky.alcine
  • What is the discussion about Google releasing Microsoft vulnerabilities?

    Google is giving even less time (a week?) about Microsoft vulnerabilities...
    Roque Mocan
  • Microsoft will sue these companies.

    Microsoft will tell all these vendors trying to dictate to them when to issue a patch to get lost.

    Look what happened with Tavis Ormandy, Microsoft said no to 60 days, so Ormandy released the technical details to the public domain within 5 days.

    All thats going to happen here, is a bunch of companies such as TippingPoint releasing vulnerabilities to the public domain when no patch is available and get sued by Microsoft for it.
    n3td3v
    • Don't let facts get in your way

      @n3td3v <br><br>Microsoft *never* said "no" to mr. Ormandy. This is what happened:<br>1) Ormandy reported vuln to MS on a saturday, informing them that he expected them to commit to a 60 days deadline for a patch.<br>2) Tuesday (a busy patch tuesday) MS got back to Ormandy and told him they would be able to lay out at schedule with him the upcoming friday - after having analyzed the problem.<br>3) Wednesday Ormandy went public. He also designed a "fix" - which ironically validate the concerns that a rushed fix may do more harm than good, since <b>his fix was ineffective</b> an easily circumvented according to independent security company Secunia. <br>4) Within 6 days real attacks commence. Attack code show parts of Ormandys proof-of-concept code has been copied.

      And then your claim that Microsoft will sue. Microsoft has <b>never</b> sued a researcher, nor have they indicated any desire to do so. You are spreading FUD.
      honeymonster
      • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors

        @honeymonster <br><br>""Microsoft has never sued a researcher, nor have they indicated any desire to do so.""<br><br>There is a BIG difference between individual researchers going Full-disclosure and a vendor such as TippingPoint with a lot of money to lose going Full-disclosure.<br><br>Indeed, Microsoft haven't sued individual researchers, as individual researchers have next to no money to lose, however big vendors such as TippingPoint owned by HP, do.
        n3td3v
    • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors

      @n3td3v
      They won't have a choice but to sue. I can't believe Ormandy is still employed after what happened. I'm still waiting for Microsoft to put some pressure on him and on Google for their negligence.
      Loverock Davidson
  • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors

    Doesn't this sound like blackmail?
    IUseComputers
    • Not really

      @IUseComputers They are giving 6 month notice. I don't think that is a blackmail at all.

      After all, they are not asking for a single dime. If a company is too incompetent to fix a vulnerability within 6 months when somebody else went through the trouble of developing a reproducible test, then they deserve to be shamed and ridiculed.

      I think that the top two companies that will be affected are Adobe (the never fix anything until it becomes a PR nightmare company) and Microsoft (the fix only after it is publicly known company).
      wackoae
      • Others too...

        @wackoae Apple too... Apple has several patches pending for safari and OSX.
        snoop0x7b
  • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors

    The problem I have with this "six month deadline" is that sometimes the "fix" actually breaks other things. It's never quite as simple as "fixing it". It's come up with a proposed fix, then test the hell out of it and hope that nothing else was broken by the fix.

    Most times they find if the fix breaks other things, sometimes they don't so again, it's never quite that simple.
    PollyProteus
  • RE: New vulnerability disclosure deadline puts pressure on tardy software vendors

    The kernel vulnerability I discovered could kill Microsoft off because it affects all windows versions from 95 to windows xp that i know but i do not know about vista or windows 7. There is no way to patch this they are going to have totally rebuild the kernel. They must have retards at Microsoft to not discover this one at all!!!!!!:)
    Princess Milissa Annie
    PrincessMilissa
  • kernel vulnerability I discovered could kill Microsoft off

    The kernel vulnerability I discovered could kill Microsoft off because it affects all windows versions from 95 to windows xp that i know but i do not know about vista or windows 7. There is no way to patch this they are going to have totally rebuild the kernel. They must have hired RETARDS at Microsoft. This one should of been caught in the beginning.
    Princess Milissa Annie
    PrincessMilissa