Story updated on Tuesday, Aug. 3 at 7:22 p.m. EST
One of the major third-party bug bounty programs is tired of vendors taking their time to repair reported vulnerabilities.
TippingPoint’s Zero Day Initiative (ZDI) announced Tuesday that it will impose a six-month deadline for vendors to patch reported issues. The new rules take effect Wednesday.
“This applies to all future vulnerabilities submitted through our program, as well as currently outstanding reports,” wrote Aaron Portnoy, manager of security research, in a blog post.
That means ZDI may begin disclosing details about the vulnerabilities as soon as Feb. 4, 2011, or six months from Wednesday, for all currently outstanding reports. According to the company’s “Upcoming Advisories” page, 122 vulnerabilities reported by ZDI remain unfixed for periods ranging from one day to more than three years.
A review of the list reveals dozens of Microsoft, Cisco and Apple bugs that have gone many months without a fix. One still-unpatched vulnerability was reported to IBM 1,156 days ago, or roughly in June 2007.
“[W]hen the timeline is controlled by the affected vendor, sometimes they are less than punctual with regard to patch time,” Portnoy wrote. “As it stands right now, there are currently 31 high-risk vulnerabilities reported by the ZDI over a year ago that are awaiting a patch from the vendor. We believe this places the end-user unnecessarily at risk for an extended period of time.”
The danger to users is compounded by the fact that many of today’s researchers are discovering vulnerabilities in concert with one another, Portnoy said.
Under the new policy, ZDI will publish an advisory that provides limited details about the vulnerability in question, including possible mitigations that can be deployed to lessen the threat, Portnoy said. ZDI only will publish this advisory if the affected vendor fails to respond or is not able to offer a valid reason for why the flaw could not be fixed in time.
“We realize some issues may take longer than the deadline due to complexity and compatibility reasons and we are willing to work with vendors on a case-by-case basis,” he wrote. “To maintain transparency into our process, if any vulnerability is given an extension we plan on publishing the communication we’ve had with the vendor regarding the issue once it is patched.”
ZDI pays researchers for exclusive rights to unpatched vulnerability details. The company benefits by being able to immediately provide protection to its customers, long before a fix is issued by the impacted vendor.
ZDI is not the only outlet demanding deadlines from vendors. Google engineers recently blogged that software makers should fix “critical” vulnerabilities within two months, and researchers should demand a patch deadline for any flaw they submit.
Not everyone agrees with programs such as ZDI. Microsoft plans to stick with its long-standing strategy of not offering payment for bug fixes. However, the software giant did recently drop the term “responsible disclosure” from its lexicon and unveiled an initiative known as “coordinated vulnerability disclosure” as a means to get researchers and vendors to better align their motives.
During a panel discussion at the recent Black Hat conference in Las Vegas, John Stewart, CSO of Cisco, said he is not in favor of bug bounty programs.
Security researchers who voluntarily disclose vulnerabilities should be motivated by the goal of making the internet more secure, Stewart said. Providing cash for bug disclosures could shift researcher motivations from making the internet a better place to just making a profit.
Rick Howard, intelligence director at VeriSign iDefense Labs, which runs the other major third-party bug bounty initiative, said he doesn’t expect his company to follow suit because his team typically has had good experiences dealing with vendors.
“In our experience, that’s not the way it is with most of the big vendors,” Howard told SCMagazineUS.com on Tuesday, referencing patch delays. “They’re responsive. They have good teams.”