Feeds

Big vendors get deadline to fix holes, or face the music

Full, responsible, coordinated or no disclosure - take your pick

Secure remote control for conventional and virtual desktops

Analysis TippingPoint has upped the ante on vulnerability disclosure by giving vendors six months to fix bugs before it goes public with information on flaws.

The intrusion prevention specialist, bought by HP earlier this year, has rewarded security researchers for information about vulnerabilities via its long-running Zero Day Initiative (ZDI) program. It uses this information to apply rules blocking exploits to its IPS technology, historically putting no particular pressure on vendors to develop patches. Under the new line, the ZDI will release data summarising flaws and outlining workarounds after six months unless an extension is agreed in advance.

"Comprehensive protection of critical data assets requires organizations to keep their defenses up to date as malicious activity reaches new levels and applications become more complex,” said Aaron Portnoy, manager of security research at TippingPoint. “This policy change is critical for staying ahead of threats so users can reduce data, financial and productivity loss.”

A reported 31 high risk vulnerabilities have lain in ZDI's database for more than a year. Some of these have been without a patch for three years, Portnoy told Dark Reading.

TippingPoint's decision to draw a line in the sand last week comes amid a more general shake-up in the way both vendors and security researchers approach the disclosure of security bugs.

Last month Google said it would give vendors a breathing space of just 60 days before going public with vulnerabilities.

Microsoft, meanwhile, argues that a one-size-fits-all approach to vulnerability disclosure timescales is too simplistic. Some flaws take longer to fix and test than others. Rushing security fixes may therefore work against the wider interest of end-users, the company argues.

Redmond's philosophy of "co-ordinated vulnerability disclosure" is summarised in a blog post here. The approach is essentially a re-branding of responsible disclosure that omits the loaded term of "responsible".

In both coordinated and responsible disclosure security problems are reported privately to the vendor, and not disclosed to third parties until the vendor issues a patch.

By contrast, proponents of full disclosure argue that information on vulnerabilities should be publicly disclosed as soon as possible so that workarounds can be developed. The approach puts pressure on vendors to develop security updates more quickly, rather than sitting on problems for months on end.

Some vendors, including Mozilla and Google, grease the wheels of vulnerability disclosure by offering to pay researchers bug bounties. The fees they offer were recently increased to $3,000 and $3,133.70 respectively.

But Microsoft has held out against the trend. This prompted French security research firm Vupen to say it would only tell its own customers about flaws it discovered, without bothering to talk to Redmond or anyone else - a policy of "no disclosure", as H-Security notes.

The lines in the vulnerability disclosure debate used to be closely drawn between vendors and security researchers, with hackers and virus writers on the sideline. The growing importance of vulnerability marketplaces means it's not just a game played out between vendors or security researchers in isolation any more. TippingPoint's ZDI is perhaps the best known of these marketplaces, but iDefense and WabiSabiLabi's "eBay for security bugs" are also in the game.

Various hacking contests at CanSecWest and elsewhere - where security researchers attempt to exploit browser or operating system flaws to claim prizes - also play a role.

Whether all this makes the internet more or less secure for end-users is tough to say, but it does make life more lucrative for security researchers and arguably puts vendors under more pressure, especially after TippingPoint's decision to set an effective time limit on the game. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.