TippingPoint sets six-month deadline for flaw fixes

TippingPoint has taken a stand in the vulnerability disclosure debate

HP's TippingPoint subsidiary has announced a new initiative under which it will release data on software flaws six months after notifying the vendor.

The vulnerability research organisation said that if it has not heard back from a manufacturer about a reported flaw within six months, it will release data on the problem to its customers along with a workaround.

Full disclosure under the Zero Day Initiative will follow, unless an extension to the deadline is worked out in advance.

"Comprehensive protection of critical data assets requires organisations to keep their defences up to date as malicious activity reaches new levels and applications become more complex," said Aaron Portnoy, manager of security research at TippingPoint.

"This policy change is critical for staying ahead of threats so that users can reduce data, financial and productivity loss."

The move will add to the debate over flaw disclosure. Some researchers favour full disclosure to maximise work on the problem, while commercial operators favour a more balanced approach.

"Microsoft advocates co-ordinated vulnerability disclosure, where vendors and finders work together closely towards a resolution," said Dave Forstrom, director of Microsoft's Trustworthy Computing Group.

"Extensive efforts should be made to make a timely response, and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely to be the best course of action. Even then it should be co-ordinated as closely as possible."