IBM, Hewlett-Packard (HP), and Microsoft led the list of companies that failed to patch vulnerabilities within six months of being notified by the world's biggest bug bounty program, according to HP TippingPoint's Zero-Day Initiative (ZDI).
During 2011, TippingPoint -- a division of HP -- released 29 zero-day advisories that provided information on vulnerabilities it had reported to vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six in HP's own software, and five were in Microsoft products.
Other companies on the list of late-to-patch vendors included CA, Cisco, and EMC.
TippingPoint, which may be best known as the sponsor of the annual Pwn2Own hacking contest, buys vulnerabilities from independent security researchers, privately reports them to vendors, and then uses the information to craft defenses for its own line of security appliances.
In mid-2010, TippingPoint announced that if a vendor had not patched a reported vulnerability within six months, it would go public with an advisory that included "limited details" of the bug.
TippingPoint released its first zero-day advisory Feb. 7, 2011.
Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. "By releasing some information, it puts the spotlight on vendors," said Aaron Portnoy, the leader of TippingPoint's security research team, in an interview at the time.
Today, Portnoy and Derek Brown, a ZDI researcher, said that the program had worked, more or less.
"What's come out of this is that we've seen a better response," said Brown. "If vendors don't show due diligence, and after working with them it doesn't look like they're making a strong commitment to patching, we release the information as a zero-day advisory."
"It's not just the actual impact of the vulnerabilities, but the perceived impact," argued Portnoy. "It puts pressure on the vendor to patch their product because the number of unpatched vulnerabilities can change the perception of the product's security."
Portnoy also cited some strong success stories.
"Some security teams thanked us for dropping a zero-day [advisory] on them," Portnoy said. "They were able to use that to make the business case that they should have more resources."
Of the five Office vulnerabilities that ZDI disclosed on Feb. 7, 2011, Microsoft patched all five in its April 2011 bulletins of MS11-021, MS11-022, and MS11-023. ZDI had handed Microsoft those vulnerabilities in three batches on June 30, July 20, and Aug. 25, 2010.
IBM and HP never patched the 16 vulnerabilities, some reported by ZDI two or even three years earlier, that were disclosed in the bounty-paying program's zero-day advisories.
Portnoy and Brown also credited the pressure of a six-month deadline for ZDI's record-setting year. So far during 2011, TippingPoint's cadre of independent researchers had generated 350 vulnerability reports, up 16 percent from 301 in 2010, said Brown.