Vulnerability Broker Draws Line in Disclosure Sand
Ryan Naraine writes on ThreatPost.com:
Looking to put pressure on software vendors who procrastinate of fixing security flaws, the world's biggest broker of vulnerability data is drawing a line in the sand.More here.
Starting tomorrow (August 4, 2010), TippingPoint's Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.
Tippingpoint, a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors, says the new six-month deadline will apply to all currently outstanding issues.
"We have about 31 outstanding issues that are more than a year old. We believe that's an unacceptable window of exposure [to risk]," says Aaron Portnoy, manager of the security research team at TippingPoint Technologies.
For example, according to ZDI's public upcoming advisories listing, there are at least a half-dozen high-risk vulnerabilities affecting IBM software that are more than 600 days outstanding. Microsoft, RealNetworks, Symantec, CA and Novell are also among the most tardy vendors, according to ZDI's list.