HP's Zero Day Initiative Gives Vendors Patching Deadline

ZDI, a group that pays security researchers a bounty for the bugs they discover and then notifies affected vendors, is now giving companies a six-month deadline for patching security vulnerabilities once they've been notified. If the vendor doesn't meet this deadline, ZDI will release a limited advisory that includes basic information about the vulnerability to help customers mitigate the risks.

Aaron Portnoy, manager of security research at TippingPoint, now part of HP, says ZDI currently has around 120 vulnerabilities that have been reported to vendors but remain unfixed, with some as old as three years. By not patching vulnerabilities in timely fashion, vendors are putting their customers at risk, he says.

"For every day a vulnerability goes unpatched, end users are susceptible," Portnoy said in an interview. "Vendors are being a little bit irresponsible by not patching them."

The latest chapter of the disclosure debate flared up in June after Tavis Ormandy, a Google security engineer, went public with proof-of-concept code for a zero day Windows XP vulnerability just five days after reporting it to Microsoft. Since then, Google has explained that it believes 60 days is a reasonable amount of time for vendors to patch critical bugs in their software.

Microsoft, meanwhile, is stumping for something it calls "coordinated vulnerability disclosure", in which vendors work in conjunction with discovers and independent third parties to respond to issues. Microsoft was infuriated by Ormandy's actions and clearly isn't enamored with being pressured to develop fixes in its products.

Asked for comment on ZDI's six month deadline, Microsoft hewed to its newly honed messaging.

"Extensive efforts should be made to make a timely response, and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible," a Microsoft spokesperson said in an emailed statement.

ZDI believes the six month window is a "good medium" that works for all vendors, whether they patch on a monthly or quarterly basis, says Portnoy. But ZDI is also aware that some vulnerabilities take more time to patch, particularly ones that affect core operating system components.

Therefore, ZDI is willing to be more flexible in cases where vendors need additional time for testing. "We are willing to grant exemptions on a case-by-case basis if the vendor has a reasonable excuse," said Portnoy. When ZDI does grant exemptions, it will publish all communications with the vendor so as not to be accused of favoritism, he added.

Last week at Black Hat, the ZDI team heard "mostly positive feedback" from the security vendors in attendance, says Portnoy. "For the most part, everyone is in agreement that we need to make this change," he said.