ZDI bug bounty program imposes fix deadline for vendors

By on

31 high-risk vulnerabilities on waiting list.

In an effort to take back some of the control from vendors, the leading third-party bug bounty program plans to give providers six months to fix reported vulnerabilities -- or face limited public disclosure.

TippingPoint's Zero Day Initiative (ZDI) announced yesterday that it will impose a six-month deadline for vendors to patch reported issues. The new rules take effect today.

"This applies to all future vulnerabilities submitted through our program, as well as currently outstanding reports," wrote Aaron Portnoy, manager of security research, in a blog post.

That means ZDI may begin disclosing details about the vulnerabilities as soon as February 4, 2011, for all currently outstanding reports. According to the company's "Upcoming Advisories" page, 122 vulnerabilities reported by ZDI remain unfixed for periods ranging from one day to more than three years.

A review of the list reveals dozens of Microsoft, Cisco and Apple bugs that have gone many months without a fix. One still-unpatched vulnerability was reported to IBM 1,156 days ago, in June 2007.

"[W]hen the timeline is controlled by the affected vendor, sometimes they are less than punctual with regard to patch time," Portnoy wrote. "As it stands right now, there are currently 31 high-risk vulnerabilities reported by the ZDI over a year ago that are awaiting a patch from the vendor. We believe this places the end-user unnecessarily at risk for an extended period of time."

The danger to users is compounded by the fact that many of today's researchers are discovering vulnerabilities in concert with one another, Portnoy said.

Under the new policy, ZDI will publish an advisory that provides limited details about the vulnerability in question, including possible mitigations that can be deployed to lessen the threat, Portnoy said. ZDI only will publish this advisory if the affected vendor fails to respond or is not able to offer a valid reason for why the flaw could not be fixed in time.

"We realize some issues may take longer than the deadline due to complexity and compatibility reasons and we are willing to work with vendors on a case-by-case basis," he wrote. "To maintain transparency into our process, if any vulnerability is given an extension we plan on publishing the communication we've had with the vendor regarding the issue once it is patched."

ZDI pays researchers for exclusive rights to unpatched vulnerability details. The company benefits by being able to immediately provide protection to its customers, long before a fix is issued by the impacted vendor.

ZDI is not the only outlet demanding deadlines from vendors. Google engineers recently blogged that software makers should fix "critical" vulnerabilities within two months, and researchers should demand a patch deadline for any flaw they submit.

Not everyone agrees with programs such as ZDI. Microsoft plans to stick with its long-standing strategy of not offering payment for bug fixes. However, the software giant did recently drop the term "responsible disclosure" from its lexicon and unveiled an initiative known as "coordinated vulnerability disclosure" as a means to get researchers and vendors to better align their motives.

During a panel discussion at the recent Black Hat conference in Las Vegas, Cisco CSO John Stewart said he is not in favor of bug bounty programs.

Security researchers who voluntarily disclose vulnerabilities should be motivated by the goal of making the internet more secure, Stewart said. Providing cash for bug disclosures could shift researcher motivations from making the internet a better place to just making a profit.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition
Tags:
In Partnership With

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?