Reduced patch quality and the growing prevalence of vague patch communications have prompted Trend Micro's Zero Day Initiative to introduce shortened timelines for incomplete patches, according to ZDNet.
Vendors will be given 30 days to address critical vulnerabilities with easily circumvented patches and expected exploitation, while 60 days will be given to remediate potentially exploitable critical and high severity flaws that have been issued with patches with some defense.
Meanwhile, all other vulnerabilities with lower severity ratings will need to be addressed by vendors after 90 days.
"Over the last few years, we've noticed a disturbing trend a decrease in patch quality and a reduction in communications surrounding the patch. This has resulted in enterprises losing their ability to accurately estimate the risk to their systems. It's also costing them money and resources as bad patches get re-released and thus re-applied," said ZDI Senior Director Brian Gorenc in a blog post.
CyberScoop reports that federal civilian agencies have been ordered by the Cybersecurity and Infrastructure Security Agency to provide regular reports on software vulnerabilities as part of a new directive aimed at improving vulnerability detection and asset visibility in federal networks.