TippingPoint goes public with Zero Day flaws

TippingPoint has celebrated the one-year anniversary of its Zero Day Initiative bug bounty programme by putting more pressure on software makers to fix bugs.

The intrusion prevention product vendor, a division of 3Com, said this week it would begin publishing some details on all vulnerabilities that are pending public disclosure on its Zero Day Initiative Web site.

Through the Zero Day Initiative, TippingPoint pays security researchers who tell it about newly discovered zero day vulnerabilities. The company then notifies the affected vendor so a patch can be developed, and also acts to protect its customers against attacks that exploit the vulnerabilities.

TippingPoint has now listed minimal details on 29 issues that have been reported to the Zero Day Initiative and are currently being addressed by the affected vendors. The list of vendors includes Microsoft (six times), CA (four times), Novell (three times), Apple (three times) and Symantec (twice).

TippingPoint only publishes the vendor name, the severity of the bug it reported and when it reported the bug. The list shows, for example, that Adobe Systems and CA have yet to address high-severity issues that were reported 146 days ago.

"No technical details are shared about the vulnerability or the name of the vendor's specific product in order to protect exposed users of the affected vendor," TippingPoint said in a statement. Such publication ups the pressure on vendors to address the flaws.

Security researchers can become frustrated with vendors who fail to act quickly to address security problems. TippingPoint's initiave allows them to publicise the existance of a flaw, without having to reveal details to the whole industry.

"Vulnerabilties can be publicly disclosed by researchers if they get impatient about the time taken between vulnerabilties being disclosed to the vendor, and patches being made available," said Richard Starnes, president of the Information Systems Security Association (ISSA).

"There's a lot of incentive for security researchers to submit vulnerabilities to the programme, rather than disclose them in an untimely manner," Starnes told ZDNet UK.

Starnes said that the programme would have a positive effect if it becomes more widely known, and if security researchers continue to become involved in the initiative.

VeriSign's iDefense runs a program similar to TippingPoint's.