Security Research
Showing results for 
Search instead for 
Do you mean 

Picking up the pace: A new 120-day disclosure window

Shannon_Sabens on ‎02-26-2014 12:15 PM

In the coming year, the Zero Day Initiative will be ten years old.  It is the most mature vulnerability bug bounty program around…


It would be easy to be complacent: We love what we do. We work with brilliant researchers. Our work contributes to great products and a more secure enterprise computing landscape… We are very proud of that.  And yet, when one starts thinking this way, isn’t is also time for a change?  We looked, and will continue to look, at ways to make our program better.  One very clear way to push ourselves, and our partners, to increase our commitment to the contributing independent researchers who entrust us with their work, and most of all, to push our commitment to more secure computing, is to draw in our public disclosure deadline.


In a presentation at RSA today, we announced that vendors are asked to develop a fix for a reported vulnerability within 120 days of receiving our product vulnerability report. This begins with reports received on or after March 1.  Historically, we have requested that vendors work to develop a fix for the reported product vulnerability, within 180 days of receiving our product vulnerability report.

 

Why change?
Our purpose in changing the policy is to push vendors to decrease the amount of time it takes them to react to responsibly disclosed vulnerabilities and to reduce the attack surface faster.  We know the public is already at risk. The vulnerabilities exist.  Researchers, white hats - and black hats - are actively looking for them every day.

 

Is this realistic for large vendors?
The evidence is, absolutely!  They are actually responding in closer to 120 days already.  It seems that we have grown together…

 

In 2010:
• ZDI was publishing around 100 vulnerabilities a year
• 30% of them were > 365 days
• To address sluggish or non-existent response by vendors, the ZDI instituted a 180-day public disclosure policy


In 2011:
• Every one of the “Top 10” vendors had at least 1 vulnerability >180 days


In 2013:
• Only 6 vendors had 1+ vulnerability > 180 days
• 5 vendors averaged > 120 days
• Only 2 averaged > 180 days


Overall, vendor timelines are greatly reduced.  We thank these vendor partners for their increased commitment to secure coding and regular patching.  We look forward to continuous growth and improvement together.

0 Kudos
About the Author

Shannon_Sabens

Labels
Events
Each Month in 2016
Online
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
Sep 30
Seattle, WA
OpenStack Days Seattle
OpenStack Days Seattle, September 30, is the largest gathering of OpenStack users and prospective users in the Pacific Northwest region.
Read more
View all
What's New