Tipping Point sets six month deadline for flaw fixes

[nsane.forums]

Vendors must patch or face disclosure says HP

Tipping Point, owned by HP, has announced a new Zero Day Initiative (ZDI), whereby it will release data on software flaws six months after notifying the vendor.

If the organization hasn’t heard back from a manufacturer about a reported flaw within six months then it will release data on the problem to its custoerrms, along with a workaround. Full disclosure will follow, unless an extension to the deadline is worked out in advance.

”Comprehensive protection of critical data assets requires organizations to keep their defences up to date as malicious activity reaches new levels and applications become more complex,” said Aaron Portnoy, manager of Security Research at TippingPoint.

“This policy change is critical for staying ahead of threats so users can reduce data, financial and productivity loss.”

The move by the company, which is one of the largest vulnerability research organisations, will add to the current debate over flaw disclosure. Some researchers favour full disclosure to maximise the effort on the problem, which more commercial operators favour a more balanced approach.

"Microsoft advocates for coordinated vulnerability disclosure, where vendors and finders work together closely toward a resolution,” said Dave Forstrom, director of Microsoft’s Trustworthy Computing Group.

“Extensive efforts should be made to make a timely response, and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible."

View: Original Article