HP TippingPoint, the world's biggest bug bounty program, says that it will impose a six-month deadline on vendors. The security initiative, says that it would release vulnerability information, even if a patch has not been released.
"We're going to be enforcing a six-month deadline as general policy," said Aaron Portnoy, head of HP TippingPoint's security research team.
The move is a major development for TippingPoint's Zero Day Initiative (ZDI). ZDI, which purchases vulnerability reports from independent security researchers and then privately reports them to vendors to help tailor defenses for security appliances, had a policy of indefinitely withhold information on a vulnerability. The initiative would only publish its information after a patch had been issued.
ZDI will now give vendors six months to get a patch ready. Bugs in ZDI's queue were given a deadline that expires in six months: Feb. 4, 2011.
If by the deadline for a fix is not ready, ZDI will issue an advisory on the vulnerability, as well as any solutions the initiative can formulate.
As of the moment, ZDI is holding information on 31 critical bugs. The initiative reported the problems to vendors a year ago or longer.