TippingPoint goes public with Zero Day flaws

TippingPoint is celebrating the one-year anniversary of its Zero Day Initiative bug bounty program by putting more pressure on software makers to fix bugs.

The company, a division of 3Com and seller of intrusion prevention products, this week said it would begin publishing details on all vulnerabilities that are pending public disclosure on the Zero Day Initiative Web site.

TippingPoint started by listing minimal details on 29 issues that have been reported to the Zero Day Initiative and are currently being addressed by the affected vendors. The list of vendors includes Microsoft (six times), CA (four times), Novell (three times), Apple (three times), and Symantec (twice).

TippingPoint only publishes the vendor name, severity of the bug it reported and when it reported the bug. The list shows, for example, that Adobe Systems and CA have yet to address high- severity issues that were reported 146 days ago.

"No technical details are shared about the vulnerability or the name of the vendor's specific product in order to protect exposed users of the affected vendor," TippingPoint said in a statement. Such publication ups the pressure on vendors to address the flaws.

The Zero Day Initiative pays security researchers for telling TippingPoint about newly discovered zero day vulnerabilities. The company then notifies the affected vendor so a patch can be developed at the same time TippingPoint IPS customers are protected against attacks that exploit the vulnerabilities.

VeriSign's iDefense has a program similar to TippingPoint's.