Tipping Point, running out of patience with the bean counters at software companies has raised the stakes,
Analysis TippingPoint has upped the ante on vulnerability disclosure by giving vendors six months to fix bugs before it goes public with information on flaws.
The intrusion prevention specialist, bought by HP earlier this year, has rewarded security researchers for information about vulnerabilities via its long-running Zero Day Initiative (ZDI) program. It uses this information to apply rules blocking exploits to its IPS technology, historically putting no particular pressure on vendors to develop patches. Under the new line, the ZDI will release data summarising flaws and outlining workarounds after six months unless an extension is agreed in advance.
The usual suspects say that six months is too short of time to patch and test bloatware, and wish to call the whole project something new, without actually doing anything about the situation. On the other hand
Following on from full disclosure, Microsoft now has a new disclosure variant to contend with – no disclosure. French security services provider VUPEN claims to have discovered two critical security vulnerabilities in the recently released Office 2010 – but has passed information on the vulnerabilities and advice on mitigation to its own customers only. For now, the company does not intend to fill Microsoft in on the details, as they consider the quid pro quo – a mention in the credits in the security bulletin – inadequate.
VUPEN also claims all of its’ customers are reliable and would never exploit the inside information, or sell it online, nor exploit it for economic gains as their customers don’t do that either.