HP announced changes today to the disclosure policy for its TippingPoint Zero Day Initiative (ZDI).
Henceforth, the company will publish vulnerability advisories no later than six months after flaws are detected and submitted to the program. According to HP, the idea is to make sure vendors fix vulnerable software quickly to reduce the risk of potential attacks.
The advisories will feature “limited details” of the vulnerabilities to enable users to take precautions, the company said in a statement.
The change follows a move by Mozilla and Google to increase the bounty paid for bugs. For Mozilla, the new max is $3,000; for Google, it’s $3,133.70. It also follows more members of Microsoft’s attempt to change perceptions around responsible disclosure by changing the term to “coordinated vulnerability disclosure.”
While vendors may grunt disdainfully at the idea of a timeline, Aaron Portnoy, manager of Security Research for TippingPoint, noted vendors can be less than punctual if left to their own devices.
“As it stands right now there are currently 31 high-risk vulnerabilities reported by the ZDI over a year ago that are awaiting a patch from the vendor,” he blogged. “We believe this places the end user unnecessarily at risk for an extended period of time.”