HP TippingPoint sets Six-Month Deadline For Flaw Fixes

Hewlett Packard has announced that it will now only give software vendors a six-month deadline to patch security vulnerabilities before it discloses information to the public,

HP TippingPoint's Zero Day Initiative, which essentially buys vulnerabilities from researchers and reports them to software vendors, warned that it would release "limited details" about the vulnerability if a patch is not provided by the vendor within six months.

The bug bounty group also added that it will provide extensions to vulnerabilities that are more "impactful" on a case-by-case basis. The vulnerabilities currently highlighted by TippingPoint will have a six month deadline for 4 February, 2011.

If the deadline is not met, then the security group will release an advisory related to the vulnerabilities, but with only limited amount of information to prevent it from being exploited by hackers in the wild.

The advisory will also contain a number of workarounds found by the security group to help users avoid being affected by the flaw.

Speaking to Computer World, Aaron Portnoy, the head of the security team at HP TippingPoint, said: “We've been thinking about this for quite a while. We have to track some of these bugs for two years, three years, which slows us down.”