TippingPoint Zero Day Initiative

 

Disclosure Policy

This policy outlines how TippingPoint handles responsible vulnerability disclosure to product vendors, TippingPoint customers, security vendors and the general public.

TippingPoint will responsibly and promptly notify the appropriate product vendor of a security flaw with their product(s) or service(s). The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail to security@, support@, info@, and secure@company.com with the pertinent information about the vulnerability. Simultaneous with the vendor being notified, TippingPoint may distribute vulnerability protection filters to its customers' IPS devices through the Digital Vaccine service.

If a vendor fails to acknowledge TippingPoint's initial notification within five business days, TippingPoint will initiate a second formal contact by a direct telephone call to a representative for that vendor. If a vendor fails to respond after an additional five business days following the second notification, TippingPoint may rely on an intermediary to try to establish contact with the vendor. If TippingPoint exhausts all reasonable means in order to contact a vendor, then TippingPoint may issue a public advisory disclosing its findings fifteen business days after the initial contact.

If a vendor response is received within the timeframe outlined above, TippingPoint will allow the vendor a reasonable period of time to develop a fix to the identified vulnerability. TippingPoint will use its discretion to determine what constitutes a "reasonable period of time" for a vendor fix to be developed on a case-by-case basis. TippingPoint will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, TippingPoint will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. In no cases will an acquired vulnerability be "kept quiet" because a product vendor does not wish to address it.

Before public disclosure of a vulnerability, TippingPoint may share technical details of the vulnerability with other security vendors who are in a position to provide a protective response to a broader user base. Such a security vendor must show they are able to provide security protection for vulnerabilities, while at the same time not revealing the technical vulnerability details in their product updates.

TippingPoint will formally and publicly release its security advisories on its Web site and on selected security mailing list outlets.

Published Advisories

ZDI-10-169: Novell

• published 2010-09-01

ZDI-10-168: Apple

• published 2010-08-31

ZDI-10-167: RealNetworks

• published 2010-08-26

ZDI-10-166: RealNetworks

• published 2010-08-26

ZDI-10-165: Trend Micro

• published 2010-08-25

Upcoming Advisories

Novell

• reported 2010-08-23, 8 days ago

Mozilla Firefox

• reported 2010-08-12, 19 days ago

CA

• reported 2010-08-12, 19 days ago

Apple

• reported 2010-08-12, 19 days ago

Symantec

• reported 2010-07-20, 42 days ago

Recent Press

How Microsoft ranks with the most tardy bug ...

• published 2010-08-05, Network World

HP TippingPoint gives deadline to vendors

• published 2010-08-05, International Business Times

TippingPoint sets six-month deadline for flaw fixes

• published 2010-08-04, V3

HP's Zero Day Initiative Gives Vendors Patching Deadline

• published 2010-08-04, CRN

Researchers Throw Down Vulnerability-Disclosure Gauntlet

• published 2010-08-04, DarkReading