Taking A Bite Out Of Crime Bugs
TippingPoint has long been a proponent of information technology security, especially known for its Zero Day Initiative bug-hunt rewards program in which security researchers can earn thousands of dollars by revealing new vulnerabilities to TippingPoint, who in turns contacts the faulted software developers to get them to patch the holes in their code.
But a recent perusal in the ZDI database for high-risk vulns still sitting unpatched after more than a year after disclosure has grated on some nerves. Some of those privately disclosed security holes have even gone as many as three years without being fixed by their respective software vendors. And that’s just no good.
TippingPoint had been trying to be responsible, keeping the disclosure of the bugs private, giving their creators time to fix them to keep everyone safe without going full disclosure and letting the hackers also know of these vulnerabilities. But after seeing too many software companies sit upon their laurels and do nothing about their holes, TippingPoint has had enough.
The new ZDI police will still be to privately contact software companies, but to only give them six months of privacy to correct their flaws. After that six months, if no extension is agreed upon, TippingPoint will turn around and give full disclosure of the bug to the world at large, giving third parties an opportunity to fix the holes that a software vendor refused to act upon.
While many proponents (including myself) laud this tough-on-bugs approach, opposition to the “full disclosure” method (such as Microsoft, of course, inventors of security through obfuscation) argue that set timescales don’t work because some bugs take longer to fix and test than others, and that hackers can also use the disclosed information to make their job of getting into your computer easier.
And these are valid points. But then, that’s probably why TippingPoint in fact has a method in place to file for an extension to that six month timeline. TippingPoint seems to make it clear that if Microsoft can make a convincing argument on why they can’t fix their security hole in a mere six months, TippingPoint will be more than happy to extend that timeline to give them all of the privacy they need.
Meanwhile, there’s the other end of the spectrum. Recently Google has expressed a policy similar to this new one from TippingPoint, but with a mere 60 days, just two months, of privacy, a much tougher deadline to meet.

