ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

TippingPoint goes public with Zero Day flaws

Joris Evers and Tom Espiner ZDNet.co.uk

Published: 01 Sep 2006 15:45 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

TippingPoint has celebrated the one-year anniversary of its Zero Day Initiative bug bounty programme by putting more pressure on software makers to fix bugs.

The intrusion prevention product vendor, a division of 3Com, said this week it would begin publishing some details on all vulnerabilities that are pending public disclosure on its Zero Day Initiative Web site.

Through the Zero Day Initiative, TippingPoint pays security researchers who tell it about newly discovered zero day vulnerabilities. The company then notifies the affected vendor so a patch can be developed, and also acts to protect its customers against attacks that exploit the vulnerabilities.

TippingPoint has now listed minimal details on 29 issues that have been reported to the Zero Day Initiative and are currently being addressed by the affected vendors. The list of vendors includes Microsoft (six times), CA (four times), Novell (three times), Apple (three times) and Symantec (twice).

TippingPoint only publishes the vendor name, the severity of the bug it reported and when it reported the bug. The list shows, for example, that Adobe Systems and CA have yet to address high-severity issues that were reported 146 days ago.

"No technical details are shared about the vulnerability or the name of the vendor's specific product in order to protect exposed users of the affected vendor," TippingPoint said in a statement. Such publication ups the pressure on vendors to address the flaws.

Security researchers can become frustrated with vendors who fail to act quickly to address security problems. TippingPoint's initiave allows them to publicise the existance of a flaw, without having to reveal details to the whole industry.

"Vulnerabilties can be publicly disclosed by researchers if they get impatient about the time taken between vulnerabilties being disclosed to the vendor, and patches being made available," said Richard Starnes, president of the Information Systems Security Association (ISSA).

"There's a lot of incentive for security researchers to submit vulnerabilities to the programme, rather than disclose them in an untimely manner," Starnes told ZDNet UK.

Starnes said that the programme would have a positive effect if it becomes more widely known, and if security researchers continue to become involved in the initiative.

VeriSign's iDefense runs a program similar to TippingPoint's.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with HP

Did you find this article useful?
89 out of 182 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:





Related Jobs

Senior Fraud Analyst Yorkshire Up to 35K

Access and MS Excel Have excellent communication and influencing skills Have a high degree of initiative, commitment and enthusiasm Have a working ...

Proposals Development Associate, CRO, Berkshire. 30,000

Excellent communication skills (interpersonal, written, verbal) Ability to adapt to changing priorities, take initiative and follow through on own ...

ICT HELP DESK OPERATORS 1st LINE SUPPORT / HELPDESK

The ability to remain calm and diplomatic under pressure. Good organisational skills and an ability to use initiative and work as part of a team. ...

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers

Sentry Posts Blog

Mobile Linux Better For Mobile Busines...

Mobile Linux Better For Mobile Business Apps? Author: Eric Everson, MyMobiSafe.com As mobile Linux is carving it’s footprint on the future of mobile application development, the... More

Post a comment

DWP downplays security breach

The Department for Work and Pensions (DWP) has admitted that some of its staff have been forwarding passwords with password protected material. An email that was leaked on the 'Dizzy... More

Post a comment

How many headshots does one chairperso...

We got a strange request last week from the head of PR from Russian security experts Kaspersky. It seems although the company was very happy with the interview we recently carried with... More

Post a comment

Featured Talkback

On the contrary, if vendors were forced to stand behind their products it should increase innovation. It would force more, and better , testing before hitting the sales floor, resulting in fewer updates and less downtime for the consumer. At present the EULA removes responsibility from the vendor, and moves it to the user, which is a step backward. Make the vendor responsibility for their code.

By: ator1940

Read full story:
RSA: Vendor liability may stifle innovation