Tuesday, August 03, 2010

Vulnerability Broker Draws Line in Disclosure Sand

Ryan Naraine writes on ThreatPost.com:

Looking to put pressure on software vendors who procrastinate of fixing security flaws, the world's biggest broker of vulnerability data is drawing a line in the sand.

Starting tomorrow (August 4, 2010), TippingPoint's Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.

Tippingpoint, a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors, says the new six-month deadline will apply to all currently outstanding issues.

"We have about 31 outstanding issues that are more than a year old. We believe that's an unacceptable window of exposure [to risk]," says Aaron Portnoy, manager of the security research team at TippingPoint Technologies.

For example, according to ZDI's public upcoming advisories listing, there are at least a half-dozen high-risk vulnerabilities affecting IBM software that are more than 600 days outstanding. Microsoft, RealNetworks, Symantec, CA and Novell are also among the most tardy vendors, according to ZDI's list.

More here.


Post a Comment

<< Home