HP's bug bounty programme changes disclosure terms

TippingPoint division is altering the terms of programme

HP's TippingPoint division for five years has offered a paid bounty to independent researchers who find zero-day vulnerabilities in vendor products so HP can provide defenses in its intrusion-prevention systems. But last week HP said it's altering the basic terms for keeping those zero-day discoveries about vendor product flaws under wraps, because some vendors aren't fixing software flaws fast enough.

Mozilla hikes Firefox bug bounties to $3K

"We've been a huge proponent of nondisclosure working with vendors," say Aaron Portnoy, HP's manager of security research, about HP's Zero-Day Initiative (ZDI) program. Historically this has meant that when HP accepted and paid researchers for detailed information about new zero-day discoveries related to holes in software, it kept that information under wraps until the vendor publicly corrected the flaw. HP did this to prevent the flaws from being exploited. But an unintended consequence has been that "we allowed vendors to dictate the timeframe," Portnoy says.

HP is changing its nondisclosure policy and from now on, the company will exercise six months as the outer time limit for expecting a vendor's software flaw to be fixed and publicly disclosed -- or it will exercise the option to disclose it anyway.

"We want to put pressure on the vendors," Portnoy says, noting some have been taking one year, or even up to three years, to patch flaws. These include IBM, CA and yes, even HP itself, he says. So, as of now, the deadline will be Feb. 4 next year when HP could reveal zero-day vulnerabilities it knows about that haven't been fixed. Portnoy adds that HP might extend the six-month deadline as a good-will gesture in certain circumstances, but will be closely tracking the issues in each circumstance.

A zero-day vulnerability is a hole in software that has not previously been known to the wider public, and that would be attractive for hackers to exploit.

HP has published 414 of the zero-day vulnerabilities it has learned about over the past five years, and 200 more will be upcoming, Portnoy says. He notes that the number of serious software flaws that researchers are bringing to HP under the ZDI bounty program appears to be growing.

For all of last year, HP ended up with 101 zero-day flaws, while this year, there have been 137 vulnerabilities published so far already. Portnoy says the current wave of zero-day vulnerabilities is mainly client-side, related to software such as browsers and Adobe software, with Apple getting a lot more attention than previously.

About 1,300 researchers are registered under HP's ZDI program. These researchers discover zero-day vulnerabilities using techniques that include fuzzing tools to find out about software flaws. Zero-day bounties typically start at just over $3,000. There are a few other zero-day bounty rewards programs that compete with HP's ZDI, and sometimes researchers will shop their discoveries around to see who will pay the most. HP works to further reward its most fruitful researchers by flying them to events, such as the recent Black Hat Conference in Las Vegas.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.

Tags Security ID

Show Comments
[]