Feeds

Big vendors get deadline to fix holes, or face the music

Full, responsible, coordinated or no disclosure - take your pick

Using blade systems to cut costs and sharpen efficiencies

Analysis TippingPoint has upped the ante on vulnerability disclosure by giving vendors six months to fix bugs before it goes public with information on flaws.

The intrusion prevention specialist, bought by HP earlier this year, has rewarded security researchers for information about vulnerabilities via its long-running Zero Day Initiative (ZDI) program. It uses this information to apply rules blocking exploits to its IPS technology, historically putting no particular pressure on vendors to develop patches. Under the new line, the ZDI will release data summarising flaws and outlining workarounds after six months unless an extension is agreed in advance.

"Comprehensive protection of critical data assets requires organizations to keep their defenses up to date as malicious activity reaches new levels and applications become more complex,” said Aaron Portnoy, manager of security research at TippingPoint. “This policy change is critical for staying ahead of threats so users can reduce data, financial and productivity loss.”

A reported 31 high risk vulnerabilities have lain in ZDI's database for more than a year. Some of these have been without a patch for three years, Portnoy told Dark Reading.

TippingPoint's decision to draw a line in the sand last week comes amid a more general shake-up in the way both vendors and security researchers approach the disclosure of security bugs.

Last month Google said it would give vendors a breathing space of just 60 days before going public with vulnerabilities.

Microsoft, meanwhile, argues that a one-size-fits-all approach to vulnerability disclosure timescales is too simplistic. Some flaws take longer to fix and test than others. Rushing security fixes may therefore work against the wider interest of end-users, the company argues.

Redmond's philosophy of "co-ordinated vulnerability disclosure" is summarised in a blog post here. The approach is essentially a re-branding of responsible disclosure that omits the loaded term of "responsible".

In both coordinated and responsible disclosure security problems are reported privately to the vendor, and not disclosed to third parties until the vendor issues a patch.

By contrast, proponents of full disclosure argue that information on vulnerabilities should be publicly disclosed as soon as possible so that workarounds can be developed. The approach puts pressure on vendors to develop security updates more quickly, rather than sitting on problems for months on end.

Some vendors, including Mozilla and Google, grease the wheels of vulnerability disclosure by offering to pay researchers bug bounties. The fees they offer were recently increased to $3,000 and $3,133.70 respectively.

But Microsoft has held out against the trend. This prompted French security research firm Vupen to say it would only tell its own customers about flaws it discovered, without bothering to talk to Redmond or anyone else - a policy of "no disclosure", as H-Security notes.

The lines in the vulnerability disclosure debate used to be closely drawn between vendors and security researchers, with hackers and virus writers on the sideline. The growing importance of vulnerability marketplaces means it's not just a game played out between vendors or security researchers in isolation any more. TippingPoint's ZDI is perhaps the best known of these marketplaces, but iDefense and WabiSabiLabi's "eBay for security bugs" are also in the game.

Various hacking contests at CanSecWest and elsewhere - where security researchers attempt to exploit browser or operating system flaws to claim prizes - also play a role.

Whether all this makes the internet more or less secure for end-users is tough to say, but it does make life more lucrative for security researchers and arguably puts vendors under more pressure, especially after TippingPoint's decision to set an effective time limit on the game. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.