August 6, 2010 at 11:41Are you still vulnerable? Then you have 6 months
HP TippingPoint's computer security fighters will publish software vulnerabilities 6 months after its manufacturer was informed. This measure should motivate vendors to be more careful about the safety of their own products.
The acquisition of 3Com allowed HP to concentrate its full range of products for network infrastructure . But in addition, very interesting people from the HP TippingPoint division have appeared in our ranks , who have been fighting for the security of computer networks (according to Gartner) for more than 4 years in a row more successfully than anyone else in the market.
One of the interesting creations of these guys is the Zero Day Initiative program.(ZDI), in which TippingPoint buys vulnerabilities from third-party specialists. Google and Mozilla pay for the vulnerabilities found in their browsers - everyone now knows about it. But ZDI has been doing this for 5 years, and here you can “sell” the vulnerability in any software, participate in the accumulative bonus program and, as a result, earn very serious money.
The ZDI program and the scale of TippingPoint itself allow it to contain a very current database of current vulnerabilities. And unlike many other companies working in the field of network security, TippingPoint reported all the holes found to the manufacturers of the corresponding software, and not just to its paid customers. Manufacturers, in turn, set the time they needed to fix the bug.
"In general, this strategy worked well for both the vendor and for us and, of course, for our customers", says Aaron Portnoy ( by Aaron Portnoy ), head of the research team at TippingPoint. But over time, the speed of detecting new vulnerabilities grows, and the speed of reaction of vendors to them remains constant. Now TippingPoint is ready to publish information on 31 critical vulnerabilities that were found by ZDI participants more than a year ago. End users thus remain unprotected for a very long time.
To remedy this situation, TippingPoint will publish vulnerabilities 6 months after they were discovered in ZDI and the vendor was informed. If after this period the software manufacturer does not respond to the TippingPoint report or is not able to fix the vulnerability, a brief report will be published about it , which will tell users where they need to strengthen security measures.
Of course, if the software manufacturer needs more time to fix the bug and he tells TippingPoint about it, the deadline will be shifted. But in this case, as soon as the hole is closed, TippingPoint will publish the contents of the correspondence with the vendor. “We hope that this level of transparency in our process will allow society to better understand the problems that vendors face,” writes Tailor on his blog.
The acquisition of 3Com allowed HP to concentrate its full range of products for network infrastructure . But in addition, very interesting people from the HP TippingPoint division have appeared in our ranks , who have been fighting for the security of computer networks (according to Gartner) for more than 4 years in a row more successfully than anyone else in the market. One of the interesting creations of these guys is the Zero Day Initiative program.(ZDI), in which TippingPoint buys vulnerabilities from third-party specialists. Google and Mozilla pay for the vulnerabilities found in their browsers - everyone now knows about it. But ZDI has been doing this for 5 years, and here you can “sell” the vulnerability in any software, participate in the accumulative bonus program and, as a result, earn very serious money.
The ZDI program and the scale of TippingPoint itself allow it to contain a very current database of current vulnerabilities. And unlike many other companies working in the field of network security, TippingPoint reported all the holes found to the manufacturers of the corresponding software, and not just to its paid customers. Manufacturers, in turn, set the time they needed to fix the bug.
"In general, this strategy worked well for both the vendor and for us and, of course, for our customers", says Aaron Portnoy ( by Aaron Portnoy ), head of the research team at TippingPoint. But over time, the speed of detecting new vulnerabilities grows, and the speed of reaction of vendors to them remains constant. Now TippingPoint is ready to publish information on 31 critical vulnerabilities that were found by ZDI participants more than a year ago. End users thus remain unprotected for a very long time.
To remedy this situation, TippingPoint will publish vulnerabilities 6 months after they were discovered in ZDI and the vendor was informed. If after this period the software manufacturer does not respond to the TippingPoint report or is not able to fix the vulnerability, a brief report will be published about it , which will tell users where they need to strengthen security measures.
Of course, if the software manufacturer needs more time to fix the bug and he tells TippingPoint about it, the deadline will be shifted. But in this case, as soon as the hole is closed, TippingPoint will publish the contents of the correspondence with the vendor. “We hope that this level of transparency in our process will allow society to better understand the problems that vendors face,” writes Tailor on his blog.