ZDI Discloses Vulnerabilities Vendors Failed to Resolve in Timely Manner

The Zero Day Initiative (ZDI) began publicly disclosing information about vulnerabilities that vendors failed to patch within a six-month time frame.

ZDI is a program ran by TippingPoint, Hewlett-Packard's intrusion prevention solutions division, through which security researchers are paid for zero-day vulnerabilities.

The company uses the information to improve the accuracy of its IPS systems and coordinates a patching effort with the affected vendors under the principles of responsible disclosure.

However, some companies take advantage of researchers' willingness to wait and delay patches for an unreasonably long time.

To discourage this practice, in August last year TippingPoint introduced a six-month deadline until starting to publicly disclose information about outstanding vulnerabilities.

The deadline expired today and the company began publishing "0day" advisories. The top offenders are IBM, with nine unptached vulnerabilities, Microsoft with five and HP with four.

Aaron Portnoy, manager of TippingPoint's security research team, said on Twitter that in some cases the company granted deadline extensions due to special conditions that delayed patching, such as acquisitions or OEMed code.

One important thing to note is that advisories published as a result of this new ZDI policy are unlike the ones usually released after vulnerabilities have been patched.

They don't reveal nearly as many details about the flaws, because their purpose is to provide mitigation information that would help users stay protected until a patch is ready.

The premise is that the more time a vulnerability remains unpatched, the higher are the chances of hackers discovering it independently.

Mr. Portnoy told V3.co.uk that cases where multiple researchers discover the same vulnerability are quite common. In one circumstance, one flaw was independently discovered and reported by seven different people.

Because of this some researchers believe that even six months is too long. Last year, Google announced its support for a patching deadline of 60 days.