Fighters for computer security from the HP TippingPoint division will publish vulnerabilities in the software 6 months after its manufacturer was informed. This measure should motivate vendors to be more attentive to the security of their own products.
The acquisition of 3Com allowed HP to concentrate on its entire portfolio of network infrastructure products
. But in addition, very interesting people from the HP TippingPoint
division appeared in our ranks, who for the past 4 years have been the most successful in the market for the safety of computer networks (according to Gartner).
One of the interesting creations of these guys is the Zero Day Initiative
(ZDI) program, in which TippingPoint buys vulnerabilities from outside experts. Google and Mozilla are paying
for vulnerabilities found in their browsers - now everyone knows about it. But ZDI has been doing this
for 5 years already, and here you can “sell” the vulnerability in any software, participate in the accumulative bonus program and end up earning very serious money.
The ZDI program and the scale of TippingPoint itself allow it to contain a very up-to-date database of current vulnerabilities. And unlike many other companies working in the field of network security, TippingPoint reported all the holes found to the producers of the corresponding software, and not only to its paid customers. Manufacturers, in turn, themselves set the time they needed to fix the bug.
“In general, this strategy worked well for both the vendor and for us and, of course, for our customers,” said Aaron Portnoy, head of the research team at TippingPoint. But over time, the rate of detection of new vulnerabilities increases, and the speed of vendors' reaction to them remains constant. TippingPoint is now ready to publish information about the 31 critical vulnerabilities that were found by ZDI participants over a year ago. End users, thus, for a very long time remain unprotected.
To remedy this situation, TippingPoint will publish vulnerabilities 6 months after they were discovered in ZDI and the vendor was informed. If after this period the software maker does not respond to the TippingPoint report or is unable to fix the vulnerability, a brief report will be published
about it that tells users where they need to strengthen security measures.
Of course, if the software maker needs more time to fix the bug and he tells TippingPoint about it, the deadline will be shifted. But in this case, as soon as the hole is closed, TippingPoint will publish the contents of the correspondence with the vendor. "We hope that this level of transparency of our process will allow society to better understand the problems faced by vendors," writes
Portnoy in his blog.