Bug bounty operator presses vendors to pick up patching pace

HP TippingPoint's 'Zero Day Initiative' will go public with bug information 120 days after reporting vulnerabilities to software makers

Citing the need to prod software vendors to patch vulnerabilities even faster, Hewlett-Packard's bug bounty program said it was shortening its patch-or-go-public policy to 120 days.

The Zero Day Initiative (ZDI), a researcher reward program run by HP's TippingPoint division, a maker of corporate intrusion prevention system (IPS) and firewall appliances, announced the new deadline at the RSA Conference, a massive security trade show and conference that wraps up today in San Francisco.

"One very clear way to push ourselves, and our partners, to increase our commitment to the contributing independent researchers who entrust us with their work, and most of all, to push our commitment to more secure computing, is to draw in our public disclosure deadline," said Shannon Sabens, a senior security content manager at TippingPoint, in a blog Wednesday announcing the change.

Starting with bug reports submitted by researchers on or after March 1, ZDI will ask affected vendors to issue a fix within 120 days of receiving the vulnerability report from the bounty program.

If a fix isn't released within 120 days, ZDI may pressure the vendor by issuing an advisory that will include limited details of the vulnerability, as well as any workarounds ZDI can come up with to help protect users until an official patch appears.

The deadline isn't new: ZDI instituted a 180-day patch-or-go-public policy in August 2010. But ZDI wants vendors to pick up the pace.

"Our purpose in changing the policy is to push vendors to decrease the amount of time it takes them to react to responsibly disclosed vulnerabilities and to reduce the attack surface faster," Sabens said.

Since the 2010 debut of the patch deadline, software makers have gotten faster at issuing security updates for the bugs ZDI hands them. "Overall, vendor timelines are greatly reduced," Sabens contended.

She cited some statistics to prove her point, saying that in 2010, 30% of the vulnerabilities given to vendors took longer than 180 days to patch. ZDI's current inventory consists of 175 unpatched vulnerabilities, with only 18, or about 10% of the total, with a reporting date of180 or more days ago.

ZDI buys vulnerabilities from independent security researchers -- it closely guards how much it pays -- and then turns over the information to the pertinent software maker. An unpatched flaw uncovered in Windows 8, for example, is handed to Microsoft's security team.

TippingPoint then creates detections for the vulnerabilities and adds them to its IPS line, thus protecting its customers before a patch is available.

ZDI is also known for sponsoring the annual Pwn2Own hacking contest, one of the most lucrative challenges each year. Slated to run March 12-13 at the CanSecWest security conference in Vancouver, British Columbia, Pwn2Own is in its eighth year.

Bugs used to win awards at Pwn2Own are treated the same way as those submitted to the bounty program throughout the year: Reports are sent to vendors and TippingPoint adds detections to its IPS appliances.

This year's Pwn2Own, which will be co-sponsored by Google, will put a record $645,000 in prize money on the table.

Vulnerabilities purchased by ZDI regularly surface in patches crafted by the biggest software vendors, including Microsoft and Apple. The most recent update to OS X Mavericks, for example, which Apple issued earlier this week, included fixes for three flaws in QuickTime that were reported by ZDI. Microsoft's February security updates included patches for 10 ZDI-submitted vulnerabilities, all but one of them in Internet Explorer (IE), Microsoft's browser.

According to the ZDI website's "Upcoming Advisories" page, 60 of the 175 unpatched bugs, or 34%, were 120 or more days old.

This article, Bug bounty operator presses vendors to pick up patching pace, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags HPsecurityMalware and VulnerabilitiesHewlett-Packard

More about AppleGoogleHewlett-Packard AustraliaHPIPSMicrosoftRSATippingPointTippingPointTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place