Feeds

Big vendors get deadline to fix holes, or face the music

Full, responsible, coordinated or no disclosure - take your pick

SANS - Survey on application security programs

Analysis TippingPoint has upped the ante on vulnerability disclosure by giving vendors six months to fix bugs before it goes public with information on flaws.

The intrusion prevention specialist, bought by HP earlier this year, has rewarded security researchers for information about vulnerabilities via its long-running Zero Day Initiative (ZDI) program. It uses this information to apply rules blocking exploits to its IPS technology, historically putting no particular pressure on vendors to develop patches. Under the new line, the ZDI will release data summarising flaws and outlining workarounds after six months unless an extension is agreed in advance.

"Comprehensive protection of critical data assets requires organizations to keep their defenses up to date as malicious activity reaches new levels and applications become more complex,” said Aaron Portnoy, manager of security research at TippingPoint. “This policy change is critical for staying ahead of threats so users can reduce data, financial and productivity loss.”

A reported 31 high risk vulnerabilities have lain in ZDI's database for more than a year. Some of these have been without a patch for three years, Portnoy told Dark Reading.

TippingPoint's decision to draw a line in the sand last week comes amid a more general shake-up in the way both vendors and security researchers approach the disclosure of security bugs.

Last month Google said it would give vendors a breathing space of just 60 days before going public with vulnerabilities.

Microsoft, meanwhile, argues that a one-size-fits-all approach to vulnerability disclosure timescales is too simplistic. Some flaws take longer to fix and test than others. Rushing security fixes may therefore work against the wider interest of end-users, the company argues.

Redmond's philosophy of "co-ordinated vulnerability disclosure" is summarised in a blog post here. The approach is essentially a re-branding of responsible disclosure that omits the loaded term of "responsible".

In both coordinated and responsible disclosure security problems are reported privately to the vendor, and not disclosed to third parties until the vendor issues a patch.

By contrast, proponents of full disclosure argue that information on vulnerabilities should be publicly disclosed as soon as possible so that workarounds can be developed. The approach puts pressure on vendors to develop security updates more quickly, rather than sitting on problems for months on end.

Some vendors, including Mozilla and Google, grease the wheels of vulnerability disclosure by offering to pay researchers bug bounties. The fees they offer were recently increased to $3,000 and $3,133.70 respectively.

But Microsoft has held out against the trend. This prompted French security research firm Vupen to say it would only tell its own customers about flaws it discovered, without bothering to talk to Redmond or anyone else - a policy of "no disclosure", as H-Security notes.

The lines in the vulnerability disclosure debate used to be closely drawn between vendors and security researchers, with hackers and virus writers on the sideline. The growing importance of vulnerability marketplaces means it's not just a game played out between vendors or security researchers in isolation any more. TippingPoint's ZDI is perhaps the best known of these marketplaces, but iDefense and WabiSabiLabi's "eBay for security bugs" are also in the game.

Various hacking contests at CanSecWest and elsewhere - where security researchers attempt to exploit browser or operating system flaws to claim prizes - also play a role.

Whether all this makes the internet more or less secure for end-users is tough to say, but it does make life more lucrative for security researchers and arguably puts vendors under more pressure, especially after TippingPoint's decision to set an effective time limit on the game. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.