HP gives vendors six months to fix vulnerabilities

Stephen Withers
Wednesday, 04 August 2010 08:43

Business IT - Security

HP's TippingPoint operation will publicly disclose security vulnerabilities six months after they are reported.

The TippingPoint Zero Day Initiative (ZDI) was set up to reward security researchers for responsibly disclosing vulnerabilities, while giving TippingPoint a head start in blocking the corresponding exploits in its intrusion protection system (IPS) products.

TippingPoint came under the HP umbrella as a result of the acquisition of 3Com.

TippingPoint's previous practice has been to give vendors "a reasonable period of time develop a fix to the identified vulnerability" according to the specific circumstances.

The company has now set a time limit of six months, after which it will publish "limited details of the vulnerabilities so end-users can take precautionary measures." HP officials said the purpose of the change was to encourage vendors to fix affected software quickly, reducing the risk of potential security attacks.

"Comprehensive protection of critical data assets requires organisations to keep their defences up to date as malicious activity reaches new levels and applications become more complex,' said Aaron Portnoy, manager, Security Research, TippingPoint, HP.

"This policy change is critical for staying ahead of threats so users can reduce data, financial and productivity loss," he added.

So which vendors are currently taking more than six months to patch vulnerabilities? You might be in for a surprise if you read on.