We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Big IT Vendors Lead Patching Laggards

IBM, Hewlett-Packard and Microsoft led the list of companies that failed to patch vulnerabilities after being notified by the world's largest bug-bounty program, according to the TippingPoint Zero-Day Initiative (ZDI).

During 2011, TippingPoint -- a division of HP -- released 29 "zero-day" advisories that had information about vulnerabilities the company had reported to IT vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six were in HP applications and five, later patched, were in Microsoft products.

Other vendors on the late-to-patch list included CA, Cisco and EMC.

TippingPoint, which sponsors the Pwn2Own hacking contest, buys information about vulnerabilities from independent security researchers and privately reports them to vendors. It uses the information to craft defenses for its own line of security appliances.

In mid-2010, TippingPoint announced that it would go public with advisories that included "limited details" of reported vulnerabilities if vendors didn't patch them within six months.

TippingPoint released its first zero-day advisory on Feb. 7, 2011.

Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. "By releasing some information, it puts the spotlight on vendors," said Aaron Portnoy, the leader of TippingPoint's security research team.

Portnoy and Derek Brown, a ZDI researcher, said the pressure has worked, more or less. "We've seen a better response," Brown said. "If it doesn't look like they're making a commitment to patching, we release the information."

"It puts pressure on the vendors to patch their products, because the number of unpatched vulnerabilities can change the perception of the product's security," Portnoy argued.

As of late December, TippingPoint's independent researchers generated 350 vulnerability reports, up 16% from 301 a year earlier.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Read more about security in Computerworld's Security Topic Center.


IDG UK Sites

iPad mini 3 vs iPad mini 2 comparison: New iPad mini 3 isn't worth £80 more

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...