📜 ⬆️ ⬇️

Are you still vulnerable? Then you have 6 months

Fighters for computer security from the HP TippingPoint division will publish vulnerabilities in the software 6 months after its manufacturer was informed. This measure should motivate vendors to be more attentive to the security of their own products.

Zero day initiative The acquisition of 3Com allowed HP to concentrate on its entire portfolio of network infrastructure products . But in addition, very interesting people from the HP TippingPoint division appeared in our ranks, who for the past 4 years have been the most successful in the market for the safety of computer networks (according to Gartner).

One of the interesting creations of these guys is the Zero Day Initiative (ZDI) program, in which TippingPoint buys vulnerabilities from outside experts. Google and Mozilla are paying for vulnerabilities found in their browsers - now everyone knows about it. But ZDI has been doing this for 5 years already, and here you can “sell” the vulnerability in any software, participate in the accumulative bonus program and end up earning very serious money.

The ZDI program and the scale of TippingPoint itself allow it to contain a very up-to-date database of current vulnerabilities. And unlike many other companies working in the field of network security, TippingPoint reported all the holes found to the producers of the corresponding software, and not only to its paid customers. Manufacturers, in turn, themselves set the time they needed to fix the bug.
“In general, this strategy worked well for both the vendor and for us and, of course, for our customers,” said Aaron Portnoy, head of the research team at TippingPoint. But over time, the rate of detection of new vulnerabilities increases, and the speed of vendors' reaction to them remains constant. TippingPoint is now ready to publish information about the 31 critical vulnerabilities that were found by ZDI participants over a year ago. End users, thus, for a very long time remain unprotected.

To remedy this situation, TippingPoint will publish vulnerabilities 6 months after they were discovered in ZDI and the vendor was informed. If after this period the software maker does not respond to the TippingPoint report or is unable to fix the vulnerability, a brief report will be published about it that tells users where they need to strengthen security measures.

Of course, if the software maker needs more time to fix the bug and he tells TippingPoint about it, the deadline will be shifted. But in this case, as soon as the hole is closed, TippingPoint will publish the contents of the correspondence with the vendor. "We hope that this level of transparency of our process will allow society to better understand the problems faced by vendors," writes Portnoy in his blog.

Source: https://habr.com/ru/post/101076/

All Articles