CybersecuritySoftware vendors will be forced to fix vulnerabilities under deadline

Published 6 August 2010

Software vendors tend to take their time fixing security vulnerabilities discovered in their products; Zero Day Initiative, which serves as a broker between security researchers who find flaws and software companies who need to fix them, says there are 122 outstanding vulnerabilities that have been reported to vendors and which have not been patched yet; the oldest on the list was reported to IBM in May 2007 and more than thirty of the outstanding vulnerabilities are older than a year; Zero Day Initiative has just announced a new policy: vendors will now have six months to fix vulnerabilities, after which time the Zero Day Initiative will release limited details on the vulnerability, along with mitigation information so organizations and consumers who are at risk from the hole can protect themselves

Software vendors will now face a deadline to patch vulnerabilities // Source: patrickfarber.com

President Ronald Reagan used to say, “If you cannot make them see the light, make them feel the heat.” Austin, Texas-based security firm Tipping Point has decided to adopt Reagan’s approach. The reason is growing impatience of security experts with software companies’ foot dragging when it comes to fixing software security vulnerabilities.

According to the Zero Day Initiative, which serves as a broker between security researchers who find flaws and software companies who need to fix them, there are 122 outstanding vulnerabilities that have been reported to vendors and which have not been patched yet. The oldest on the list was reported to IBM in May 2007 and more than thirty of the outstanding vulnerabilities are older than a year.

A new policy announced Wednesday by TippingPoint, which runs the Zero Day Initiative, is expected to change this situation and push software vendors to move more quickly in fixing the flaws.

Cnet News’s Elinor Mills writes that vendors will now have six months to fix vulnerabilities, after which time the Zero Day Initiative will release limited details on the vulnerability, along with mitigation information so organizations and consumers who are at risk from the hole can protect themselves.

There is a large quantity of bugs that have gone unpatched for a long time,” said Aaron Portnoy, manager of security research at TippingPoint, which is owned by Hewlett-Packard.

The deadline will apply retroactively so all currently outstanding vulnerabilities — regardless of when they were submitted – and they will have to be patched by February, a TippingPoint spokeswoman said.

Vendors can request an extension and it will be granted on a case-by-case basis, Portnoy said. The group will share e-mails TippingPoint and vendors exchange when an extension is requested so the community can see why the vendor needs more time, he said. “We understand some vulnerabilities will take longer to patch,” he said. “We’re hoping for a quicker turnaround time.”

Mills writes that the lack of a deadline fostered a vulnerability-disclosure environment that was ripe for abuse. Security experts accuse vendors of dragging their feet on fixes. That leaves computer users at risk for attack by unscrupulous hackers who may have discovered the hole on their own and are able to exploit it without anyone knowing, security researchers say.

Vendors complain that releasing information to the public on vulnerabilities before a patch is available is akin to giving a burglar the keys to the house. If computer users know about the risk, however, then they can protect themselves with workarounds and other fixes, researchers argue.

I think vendors were stretching things out quite a bit,” said Chris Wysopal, chief technology officer at Veracode. “We reported a bug to a vendor, a simple cross-site scripting bug, and now its been four months and we’re still waiting for them to fix it. I think vendors sometimes take liberties if there is no pressure put on them.”