In an effort to push vendors to patch vulnerabilities more quickly, Tipping Point, the Austin, TX-based IPS vendor, announced that its Zero Day initiative (ZDI) will now enforce a six-month deadline on vulnerabilities that it submits to vendors.
The vulnerability disclosure operation's sprawling queue currently contains over 100 submitted bugs. More than 50 of the submissions are more than 180 days old, and these include advisories related to the products of Symantec, Oracle, RealNetworks, Apple, Borland, EMC, Sun Microsystems, Microsoft and Hewlitt-Packard, the company that acquired Tipping Point in November of 2009. One, an IBM flaw, was discovered in May of 2007.
The Zero Day Initiative, a program that began five years ago, buys vulnerabilities from researchers, offering various levels of payment depending on the severity of the exposed flaw, the value of the vulnerable product, and other criteria. The vulnerability then becomes the company's intellectual property, its development team provides an IPS signature to protect TippingPoint customers from the flaw, and a vulnerability report is sent to the affected vendor, describing ways that an attack can be triggered.
Until today, vendors could patch the flaw on their own time. Once the ZDI deadline is enforced, however, and the six months have passed, the Zero Day Initiative team will release a limited advisory online that provides basic knowledge of the vulnerability, along with non-patch mitigation techniques.
In 2009, ZDI had 101 submitted vulnerabilities, and currently, the initiative is on pace to double its numbers, according to Aaron Portnoy, manager of security research at the Zero Day Initiative .
"Managing the vulnerabilities is burdensome when it goes beyond the six-month deadline," said Portnoy, citing that if enough time goes by without a patch, multiple researchers may discover the same flaw, the window of risk will increase, and security researchers will get antsy that their vulnerabilities have not been addressed. As part of the Zero Day Initiative, Tipping Point creates a vulnerability signature after the vendor is contacted. The limited advisory attempts to help non-customers who do not have a patch or signature.
"We think it's our responsibility to release mitigation to non-customers in our limited advisory," Portnoy said. "If it has the intended effect, these vendors will realize that someone is actually holding them accountable…They're going to start pushing vulnerabilities out quicker," said Portnoy, who believes that six months is more than enough time to create a patch.
"The six months is a lot longer than what others in the industry haven given," he said. Carnegie Mellon's vulnerability disclosure team, the Computer Emergency Response Team (CERT), he cited, has a 45-day disclosure deadline and Google recently announced that it would release security information after 60 days.
In special cases, it may be difficult to provide a patch for particular tools – an operating system or core component, for example, in which case TippingPoint's Zero Day Initiative will grant extensions to vendors that require them. To provide the Zero Day Initiative community with full transparency of the vendor's reasoning, however, any communication related to the extension will be published online, according to Portnoy.