The vulnerability disclosure operation's sprawling queue currently contains
The Zero Day Initiative, a program that began five years ago, buys vulnerabilities from researchers, offering various levels of payment depending on the severity of the exposed flaw, the value of the vulnerable product, and other criteria. The vulnerability then becomes the company's intellectual property, its development team provides an IPS signature to protect TippingPoint customers from the flaw, and a vulnerability report is sent to the affected vendor, describing ways that an attack can be triggered.
Until today, vendors could patch the flaw on their own time. Once the ZDI deadline is enforced, however, and the six months have passed, the Zero Day Initiative team will release a limited advisory online that provides basic knowledge of the vulnerability, along with non-patch mitigation techniques.
In 2009, ZDI had 101 submitted vulnerabilities, and currently, the initiative is on pace to double its numbers, according to Aaron Portnoy, manager of security research at the Zero Day Initiative .
"Managing the vulnerabilities is burdensome when it goes beyond the six-month deadline," said Portnoy, citing that if enough time goes by without a patch, multiple researchers may discover the same flaw, the window of risk will increase, and security researchers will get antsy that their vulnerabilities have not been addressed. As part of the Zero Day Initiative, Tipping Point creates a vulnerability signature after the vendor is contacted. The limited advisory attempts to help non-customers who do not have a patch or signature.
"We think it's our responsibility to release mitigation to non-customers in our limited advisory," Portnoy said. "If it has the intended effect, these vendors will realize that someone is actually holding them accountable…They're going to start pushing vulnerabilities out quicker," said Portnoy, who believes that six months is more than enough time to create a patch.
"The six months is a lot longer than what others in the industry haven given," he said. Carnegie Mellon's vulnerability disclosure team, the Computer Emergency Response Team (CERT), he cited, has a 45-day disclosure deadline and Google recently announced that it would release security information after 60 days.
In special cases, it may be difficult to provide a patch for particular tools – an operating system or core component, for example, in which case TippingPoint's Zero Day Initiative will grant extensions to vendors that require them. To provide the Zero Day Initiative community with full transparency of the vendor's reasoning, however, any communication related to the extension will be published online, according to Portnoy.