Unpatched Flaws to Be Published

TippingPoint seeks to be watchdog of vendors.

A security company that pays hackers for information on software exploits and flaws plans to release a list of 29 unpatched flaws in products sold by a host of big-name vendors, including Microsoft, IBM, Apple Computer and Novell.

The Aug. 28 disclosure from TippingPoints ZDI (Zero Day Initiative) flaw bounty program is a significant change to the way the 3Com-owned company has handled the disclosure of vulnerability data it buys from external researchers.

Instead of waiting for software makers to issue patches, TippingPoint will announce the flaw purchase in bare-bones advisories at the time the issue is reported to the vendor.

Dave Endler, director of research at TippingPoint, in Austin, Texas, said the list of 29 includes six bugs affecting Microsoft software; three affecting Novell software; two each for products sold by IBM and Apple; and one each affecting AOL, Adobe Systems and Sun Microsystems offerings.

"Were not identifying the software or product versions. Were simply naming the vendor, the date the issue was reported and the severity of the vulnerability," Endler said.

In the first year since the company started shopping for flaws, Endler said TippingPoint has fielded submissions from hundreds of hackers, culminating in 30 published post-patch bulletins. TippingPoint has been credited with finding nine vulnerabilities patched in the last three Microsoft Patch Tuesdays, Endler said.

With the new disclosure policy, Endler said he believes TippingPoint can serve as an industry "watchdog" against companies that drag their feet when software vulnerabilities are reported.

"We can use this to apply some pressure on some vendors. Some, like Microsoft, are very diligent about responding, but there are others that take six months or more to get a fix ready. After youve passed the six-month timeline, theres a good chance someone else will find [the vulnerability], and it might not be someone responsible," he said.

In addition to the ZDI, TippingPoint has a team of internal researchers who also discover and report security bugs to vendors. So far this year, staff researchers have found 10 vulnerabilities that resulted in patches, and there are six more in the disclosure pipeline affecting AOL, Apple, IBM, CA and Business Reports.

VeriSigns iDefense unit, which also buys data on flaws and exploits from external hackers, said it has no plans to preannounce its purchases. "Whats the benefit of doing that? It seems to be something thats driven by marketing," said Joseph Payne, vice president of iDefense, in Reston, Va.

Payne suggested that TippingPoints move could point malicious hackers in a certain direction and put certain vulnerable applications at risk. "If you tell the research community that you have found something in a certain application, you can be sure they will all start looking for it. Weve seen this in the past with the WMF [Windows Metafile] issue and the recent problems [with] Microsoft Office," Payne said.

TippingPoints Endler dismissed such a suggestion, saying his company will provide only the name of the vendor and wont provide any details that might pinpoint the affected product or the cause of the vulnerability.

Shopping for Vulnerabilities

The list of companies buying the rights to security flaw warnings includes some heavy hitters:

* VeriSigns iDefense unit runs a VCP (Vulnerability Contribution Program) that pays for advance notification of unpublished vulnerabilities and/or exploit code

* TippingPoint, a division of 3Com, has publicly disclosed 30 vulnerabilities purchased from external hackers since August 2005

* Digital Armaments pays cash or stock for exclusive rights to new vulnerabilities

* Immunity buys and sells access to exploits and vulnerability information as part of its penetration-testing product suite

Source: eWEEK reporting