ZDI to Enforce Vulnerability Disclosure Deadline

TippingPoint announced changes to the vulnerability disclosure practices employed by its successful Zero Day Initiative (ZDI) program. The new guidelines involve a six-month deadline for patch availability, but the company is willing to make exceptions in special cases.

Through the ZDI program, TippingPoint, Hewlett-Packard's intrusion prevention solutions division, buys zero-day vulnerability information from security researchers around the world and uses the information to better protect its customers. The company also informs the affected vendors and coordinates a patching effort with them.

Unfortunately, sometimes the response from some vendors can be unsatisfactory, to put it mildly. This is reflected on the program's Upcoming Advisories page, which currently lists some 31 high-risk vulnerabilities reported over a year ago, that are still awaiting a patch.

"In an effort to coerce vendors to work with us on patching these issues more promptly, the ZDI is announcing a 6-month deadline going into effect on 08/04/10. This applies to all future vulnerabilities submitted through our program as well as all currently outstanding reports," Aaron Portnoy, the manager of TippingPoint's security research team, announced. All advisories, including 70 which are currently over six-month-old, will get an additional half-year extension starting today.

However, once this deadline expires, the organization doesn't plan to disclose the complete details about a vulnerability, a practice known in the industry as full disclosure. "[...] If a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigations in an effort to enable the defensive community to protect the user," Mr. Portnoy, noted.

ZDI's changes to its vulnerability disclosure practices is less drastic than that of other security companies or researchers. For example, French vulnerability intelligence vendor VUPEN has stopped providing free information about bugs to affected vendors. Russian vulnerability research firm Intevydis has also taken as stance against responsible disclosure practices, which it compares to doing free quality assurance work for vendors.

Two weeks ago members of Google's security team encouraged all security researchers to enforce a reasonable disclosure deadline of sixty days. They expressed their support for anyone who decides to publicly disclose vulnerability details and mitigation if the vendor has not released a patch in this time frame.

You can follow the editor on Twitter @lconstantin