Security Research
Showing results for 
Search instead for 
Do you mean 

Picking up the pace: A new 120-day disclosure window

Shannon_Sabens on ‎02-26-2014 12:15 PM

In the coming year, the Zero Day Initiative will be ten years old.  It is the most mature vulnerability bug bounty program around…

It would be easy to be complacent: We love what we do. We work with brilliant researchers. Our work contributes to great products and a more secure enterprise computing landscape… We are very proud of that.  And yet, when one starts thinking this way, isn’t is also time for a change?  We looked, and will continue to look, at ways to make our program better.  One very clear way to push ourselves, and our partners, to increase our commitment to the contributing independent researchers who entrust us with their work, and most of all, to push our commitment to more secure computing, is to draw in our public disclosure deadline.

In a presentation at RSA today, we announced that vendors are asked to develop a fix for a reported vulnerability within 120 days of receiving our product vulnerability report. This begins with reports received on or after March 1.  Historically, we have requested that vendors work to develop a fix for the reported product vulnerability, within 180 days of receiving our product vulnerability report.


Why change?
Our purpose in changing the policy is to push vendors to decrease the amount of time it takes them to react to responsibly disclosed vulnerabilities and to reduce the attack surface faster.  We know the public is already at risk. The vulnerabilities exist.  Researchers, white hats - and black hats - are actively looking for them every day.


Is this realistic for large vendors?
The evidence is, absolutely!  They are actually responding in closer to 120 days already.  It seems that we have grown together…


In 2010:
• ZDI was publishing around 100 vulnerabilities a year
• 30% of them were > 365 days
• To address sluggish or non-existent response by vendors, the ZDI instituted a 180-day public disclosure policy

In 2011:
• Every one of the “Top 10” vendors had at least 1 vulnerability >180 days

In 2013:
• Only 6 vendors had 1+ vulnerability > 180 days
• 5 vendors averaged > 120 days
• Only 2 averaged > 180 days

Overall, vendor timelines are greatly reduced.  We thank these vendor partners for their increased commitment to secure coding and regular patching.  We look forward to continuous growth and improvement together.

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all