TippingPoint gives vendors six months to fix holes

Some software vendors are taking too long to fix flaws in their products so the Zero Day Initiative is giving them a deadline for the first time.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Aug. 3, 2010 1:48 p.m. PT

As of Wednesday, software vendors will have a deadline to fix vulnerabilities reported to them by TippingPoint's Zero Day Initiative rather than allowing holes to remain unpatched indefinitely.

Vendors will be required to fix the holes within six months, said Aaron Portnoy, manager of security research at TippingPoint, owned by Hewlett-Packard. TippingPoint runs the Zero Day Initiative, which acts a broker paying researchers for information on vulnerabilities and then providing the information to the vendors so they can fix them.

Extensions to the deadline will be given on a case by case basis, he said. If they don't fix the hole within six months and haven't received an extension, TippingPoint will release limited details on the vulnerability, along with mitigation information so organizations and consumers who are at risk from the hole can protect themselves, he added.

There are more than 120 vulnerabilities that TippingPoint has reported to vendors that have not been patched yet, and quite a few of them are older than a year, according to Portnoy.

With the deadline, TippingPoint is "hoping for quicker turnaround times" for fixes, he said.

CNET will take a deeper look at the news in an article on Wednesday.