Feeds

Big vendors get deadline to fix holes, or face the music

Full, responsible, coordinated or no disclosure - take your pick

Providing a secure and efficient Helpdesk

Analysis TippingPoint has upped the ante on vulnerability disclosure by giving vendors six months to fix bugs before it goes public with information on flaws.

The intrusion prevention specialist, bought by HP earlier this year, has rewarded security researchers for information about vulnerabilities via its long-running Zero Day Initiative (ZDI) program. It uses this information to apply rules blocking exploits to its IPS technology, historically putting no particular pressure on vendors to develop patches. Under the new line, the ZDI will release data summarising flaws and outlining workarounds after six months unless an extension is agreed in advance.

"Comprehensive protection of critical data assets requires organizations to keep their defenses up to date as malicious activity reaches new levels and applications become more complex,” said Aaron Portnoy, manager of security research at TippingPoint. “This policy change is critical for staying ahead of threats so users can reduce data, financial and productivity loss.”

A reported 31 high risk vulnerabilities have lain in ZDI's database for more than a year. Some of these have been without a patch for three years, Portnoy told Dark Reading.

TippingPoint's decision to draw a line in the sand last week comes amid a more general shake-up in the way both vendors and security researchers approach the disclosure of security bugs.

Last month Google said it would give vendors a breathing space of just 60 days before going public with vulnerabilities.

Microsoft, meanwhile, argues that a one-size-fits-all approach to vulnerability disclosure timescales is too simplistic. Some flaws take longer to fix and test than others. Rushing security fixes may therefore work against the wider interest of end-users, the company argues.

Redmond's philosophy of "co-ordinated vulnerability disclosure" is summarised in a blog post here. The approach is essentially a re-branding of responsible disclosure that omits the loaded term of "responsible".

In both coordinated and responsible disclosure security problems are reported privately to the vendor, and not disclosed to third parties until the vendor issues a patch.

By contrast, proponents of full disclosure argue that information on vulnerabilities should be publicly disclosed as soon as possible so that workarounds can be developed. The approach puts pressure on vendors to develop security updates more quickly, rather than sitting on problems for months on end.

Some vendors, including Mozilla and Google, grease the wheels of vulnerability disclosure by offering to pay researchers bug bounties. The fees they offer were recently increased to $3,000 and $3,133.70 respectively.

But Microsoft has held out against the trend. This prompted French security research firm Vupen to say it would only tell its own customers about flaws it discovered, without bothering to talk to Redmond or anyone else - a policy of "no disclosure", as H-Security notes.

The lines in the vulnerability disclosure debate used to be closely drawn between vendors and security researchers, with hackers and virus writers on the sideline. The growing importance of vulnerability marketplaces means it's not just a game played out between vendors or security researchers in isolation any more. TippingPoint's ZDI is perhaps the best known of these marketplaces, but iDefense and WabiSabiLabi's "eBay for security bugs" are also in the game.

Various hacking contests at CanSecWest and elsewhere - where security researchers attempt to exploit browser or operating system flaws to claim prizes - also play a role.

Whether all this makes the internet more or less secure for end-users is tough to say, but it does make life more lucrative for security researchers and arguably puts vendors under more pressure, especially after TippingPoint's decision to set an effective time limit on the game. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.