New vulnerability disclosure deadline puts pressure on tardy software vendors

TippingPoint's Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.
Written by Ryan Naraine, Contributor on

Looking to put pressure on software vendors that procrastinate on fixing security flaws, the world's biggest broker of vulnerability data is drawing a line in the sand.

Starting tomorrow (August 4, 2010), TippingPoint's Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.

TippingPoint, a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors, says the new six-month deadline will apply to all currently outstanding issues.

"We have about 31 outstanding issues that are more than a year old.  We believe that's an unacceptable window of exposure [to risk]," says Aaron Portnoy (left), manager of the security research team at TippingPoint Technologies.

For example, according to ZDI's public upcoming advisories listing, there are at least a half-dozen high-risk vulnerabilities affecting IBM software that are more than 600 days outstanding.

Microsoft, RealNetworks, Symantec, CA and Novell are also among the most tardy vendors, according to ZDI's list.

There are about 90 vulnerabilities in TippingPoint's queue that are more than six months old. Portnoy says the company may extend the six-month deadline "on a case-by-case basis" if there is evidence that there are technical complications to shipping patches within that time frame.  In cases where extensions are granted, ZDI will publicly document the entire communication process with the affected vendor to ensure there is transparency with affected users.

However, once the deadline expires, ZDI plans to publish a limited advisory with details about the vulnerability and affected software to help the defensive/security community come up with applicable mitigations.  "We want to make sure this window of risk is reduced and help people protect their systems.

ZDI won't be releasing full technical details of the flaws or proof-of-concept/exploit code.

We think this will push vendors in the right direction," Portnoy said in an interview.

The ZDI program is very popular with hackers looking to cash in on their research in a legitimate marketplace.  Instead of reporting software flaws to vendors, researchers can sell that data to TippingPoint in a way where the information is given to the affected vendor so that patches can be created and deployed.

"We're doubling the number of vulnerabilities in the program," Portnoy said.  In 2009, the company published 101 advisories and for the first seven months of this year, there have already been 137 advisories released by ZDI.

"We need to implement this deadline to help track the sheer quantity of security bugs coming in," Portnoy said.  "It's becoming a bit of a burden on us to track these old, outstanding issues.  There's a bit of an inefficiency seepage that slows down the time we have to work on new issues coming into our program."

Portnoy also pointed to "overlapping discoveries" that appear to be on the increases.  In these cases, multiple security researchers are discovering the same security vulnerability in the same piece of software.

"There's overlap with other research programs, there's overlap in the same submissions coming in to us.  If we're seeing this frequently, we have to assume that others have found -- or already know about -- the outstanding issues.  That's a problem," Portnoy said.

In some cases, he speculates that a lot of the same vulnerability information is being traded on the private, underground vulnerability market.  In those scenarios, the vulnerabilities are almost never reported to the vendor.  "There's overlap everywhere so when vendors take a year or two years to ship a patch, we have to assume there's a big window of exposure that puts everyone at risk."

Some other bug finders, like VUPEN and Immunity, never disclose vulnerabilities to affected vendors, setting up situations where patches are never created and businesses and consumers are exposed to unknown risk.

"With this new disclosure policy, we're hoping to eliminate not only our outstanding issues, but those [assumed] outstanding issues," he said.

The six-month deadline is by far the most lenient among research teams who report flaws to vendors.   The US-CERT uses a 45-day disclosure policy and Google's security team recently said it would release details if vendors fail to fix a flaw within 60 days.

Editorial standards