Feeds

Big vendors get deadline to fix holes, or face the music

Full, responsible, coordinated or no disclosure - take your pick

SANS - Survey on application security programs

Analysis TippingPoint has upped the ante on vulnerability disclosure by giving vendors six months to fix bugs before it goes public with information on flaws.

The intrusion prevention specialist, bought by HP earlier this year, has rewarded security researchers for information about vulnerabilities via its long-running Zero Day Initiative (ZDI) program. It uses this information to apply rules blocking exploits to its IPS technology, historically putting no particular pressure on vendors to develop patches. Under the new line, the ZDI will release data summarising flaws and outlining workarounds after six months unless an extension is agreed in advance.

"Comprehensive protection of critical data assets requires organizations to keep their defenses up to date as malicious activity reaches new levels and applications become more complex,” said Aaron Portnoy, manager of security research at TippingPoint. “This policy change is critical for staying ahead of threats so users can reduce data, financial and productivity loss.”

A reported 31 high risk vulnerabilities have lain in ZDI's database for more than a year. Some of these have been without a patch for three years, Portnoy told Dark Reading.

TippingPoint's decision to draw a line in the sand last week comes amid a more general shake-up in the way both vendors and security researchers approach the disclosure of security bugs.

Last month Google said it would give vendors a breathing space of just 60 days before going public with vulnerabilities.

Microsoft, meanwhile, argues that a one-size-fits-all approach to vulnerability disclosure timescales is too simplistic. Some flaws take longer to fix and test than others. Rushing security fixes may therefore work against the wider interest of end-users, the company argues.

Redmond's philosophy of "co-ordinated vulnerability disclosure" is summarised in a blog post here. The approach is essentially a re-branding of responsible disclosure that omits the loaded term of "responsible".

In both coordinated and responsible disclosure security problems are reported privately to the vendor, and not disclosed to third parties until the vendor issues a patch.

By contrast, proponents of full disclosure argue that information on vulnerabilities should be publicly disclosed as soon as possible so that workarounds can be developed. The approach puts pressure on vendors to develop security updates more quickly, rather than sitting on problems for months on end.

Some vendors, including Mozilla and Google, grease the wheels of vulnerability disclosure by offering to pay researchers bug bounties. The fees they offer were recently increased to $3,000 and $3,133.70 respectively.

But Microsoft has held out against the trend. This prompted French security research firm Vupen to say it would only tell its own customers about flaws it discovered, without bothering to talk to Redmond or anyone else - a policy of "no disclosure", as H-Security notes.

The lines in the vulnerability disclosure debate used to be closely drawn between vendors and security researchers, with hackers and virus writers on the sideline. The growing importance of vulnerability marketplaces means it's not just a game played out between vendors or security researchers in isolation any more. TippingPoint's ZDI is perhaps the best known of these marketplaces, but iDefense and WabiSabiLabi's "eBay for security bugs" are also in the game.

Various hacking contests at CanSecWest and elsewhere - where security researchers attempt to exploit browser or operating system flaws to claim prizes - also play a role.

Whether all this makes the internet more or less secure for end-users is tough to say, but it does make life more lucrative for security researchers and arguably puts vendors under more pressure, especially after TippingPoint's decision to set an effective time limit on the game. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.