We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Big IT Vendors Lead Patching Laggards

IBM, Hewlett-Packard and Microsoft led the list of companies that failed to patch vulnerabilities after being notified by the world's largest bug-bounty program, according to the TippingPoint Zero-Day Initiative (ZDI).

During 2011, TippingPoint -- a division of HP -- released 29 "zero-day" advisories that had information about vulnerabilities the company had reported to IT vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six were in HP applications and five, later patched, were in Microsoft products.

Other vendors on the late-to-patch list included CA, Cisco and EMC.

TippingPoint, which sponsors the Pwn2Own hacking contest, buys information about vulnerabilities from independent security researchers and privately reports them to vendors. It uses the information to craft defenses for its own line of security appliances.

In mid-2010, TippingPoint announced that it would go public with advisories that included "limited details" of reported vulnerabilities if vendors didn't patch them within six months.

TippingPoint released its first zero-day advisory on Feb. 7, 2011.

Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. "By releasing some information, it puts the spotlight on vendors," said Aaron Portnoy, the leader of TippingPoint's security research team.

Portnoy and Derek Brown, a ZDI researcher, said the pressure has worked, more or less. "We've seen a better response," Brown said. "If it doesn't look like they're making a commitment to patching, we release the information."

"It puts pressure on the vendors to patch their products, because the number of unpatched vulnerabilities can change the perception of the product's security," Portnoy argued.

As of late December, TippingPoint's independent researchers generated 350 vulnerability reports, up 16% from 301 a year earlier.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Read more about security in Computerworld's Security Topic Center.

IDG UK Sites

Acer Aspire R11 review: Hands-on with the 360 laptop and tablet convertible

IDG UK Sites

Apple Watch release day: Twitter reacts

IDG UK Sites

See how Framestore created a shape-shifting, oil and metal based creature for Shell

IDG UK Sites

Apple Watch buying guide, price list & where to buy today: Which Apple Watch model, size, material,?......