TippingPoint names and shames poorest patchers

Security firm TippingPoint has announced the results of its first Zero Day Initiative, which names and shames vendors with vulnerabilities that go unpatched for more than six months.

IBM was the biggest offender with nine vulnerabilities, followed by Microsoft with five and HP with four. Vendor-specific bug reports are now being posted on the TippingPoint blog.

Aaron Portnoy, manager of security research at TippingPoint, told V3.co.uk that the results of the first six months had been very encouraging.

The company had initially compiled 186 vulnerabilities for the list, but only 22 remained unpatched at the end of the first six months.

"Surprisingly, a lot of companies got onboard. It's been phenomenal getting the message across. Researchers are also supportive, although some said we were giving the software vendors too much time to fix flaws," Portnoy said.

The speed and efficiency in responding to flaws is helped greatly when the vendor has a security response team in place, according to Portnoy, who praised Adobe in particular for putting together a good unit, made up in part by ex-Microsoft employees.

One of the most surprising results of the Zero Day Initiative was the number of vulnerabilities that were discovered almost simultaneously. One particular flaw was discovered and reported by seven different researchers, giving a good indication that hackers will find them too.

The project is necessary because it forces companies to fix flaws and lets researchers get on with finding security holes without having to deal with large companies, Portnoy explained.

"Trying to force a big vendor to do something is a power struggle. We are part of a big company. We disclose more vulnerabilities than anyone else and have the clout to force vendors to change," he said.

"Many researchers with the Zero Day Initiative are converts. They don't want to deal with vendor disclosure."