Zero Day Initiative launches new bug disclosure timelines

LAS VEGAS -- Trend Micro's Zero Day Initiative introduced on Thursday new vulnerability disclosure timelines to combat a trend of vendors releasing ineffective patches.

The announcement came during a Black Hat USA 2022 session titled "Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories." Hosted by Brian Gorenc, Trend Micro senior director of threat research, and Dustin Childs, ZDI senior communications manager, the session provided insight into how vendors respond to emerging vulnerabilities with incomplete "placebo" patches that do not properly mitigate the flaws in question.

The Zero Day Initiative is Trend Micro's vendor-agnostic bug bounty program. As opposed to other bug bounty programs like Bugcrowd and HackerOne that take on vendors as clients to provide a rewards infrastructure, ZDI buys vulnerabilities from researchers before submitting them to vendors.

ZDI's vulnerability disclosure timelines incentivize vendors to release functional patches. Before this announcement, ZDI's coordinated disclosure policy generally gave vendors a flat 120 days to address a vulnerability either with an update or appropriate mitigation. If the vendor failed to establish contact, ZDI could choose to publish its non-coordinated advisory 15 business days after the initial attempt.

The new disclosure policy offers reduced timelines for flaws that ZDI believes result from a bypassed security patch. ZDI will give vendors 30 days to fix critical bugs where exploitation is expected, 60 days for critical and high-severity bugs where the preexisting patch provides some protection, and 90 days for lower-severity flaws where no immediate exploitation is anticipated.

Childs told SearchSecurity that he hopes this new disclosure process will encourage vendors to "get it right the first time" as often as possible.

"Our thing was, not only were we buying bugs multiple times, which was costing us money, but it was also costing the enterprise money," he said.

After the infamous Log4j vulnerability Log4Shell was discovered last year, Log4j required additional updates to fix vulnerabilities and exploits discovered after the initial 2.15.0 patch. Meanwhile, Microsoft failed to adequately fix a critical Azure Synapse bug for months after it was discovered.

Since ZDI's start in 2005, the program has seen more than 10,000 flaws move from initial discovery to patch, according to Childs. In recent years, it has seen "a disturbing trend of lower patch quality," he said, as well as vendors obscuring patch information.

"[I think vendors are] focusing resources away from engineering toward product development and other areas," Childs said. "Vendors just aren't focusing on sustaining their products once they get them out the door."

Similarly, SearchSecurity talked to several vulnerability experts last summer about why staying on top of patches can prove difficult for enterprise customers. Reasons included resource constraints, decentralized infrastructure and technical debt.

Gorenc added that a talent gap is also to blame.

"In reality, you need someone to understand the full vulnerability, be a developer and do operations. It's challenging to find the right skill set," he said. "I think part of the problem is that the vendor hasn't educated the developers enough so that when they actually get a bug report, the engineer knows how to fix the actual bug."

Alexander Culafi is a writer, journalist and podcaster based in Boston.