HP Security Research Blog
The HP Security Research blog provides a platform for security experts from across HP to discuss innovative research, industry observations, and updates on the threat landscape to help organizations proactively identify and manage risk.

Picking up the pace: A new 120-day disclosure window

In the coming year, the Zero Day Initiative will be ten years old.  It is the most mature vulnerability bug bounty program around…

It would be easy to be complacent: We love what we do. We work with brilliant researchers. Our work contributes to great products and a more secure enterprise computing landscape… We are very proud of that.  And yet, when one starts thinking this way, isn’t is also time for a change?  We looked, and will continue to look, at ways to make our program better.  One very clear way to push ourselves, and our partners, to increase our commitment to the contributing independent researchers who entrust us with their work, and most of all, to push our commitment to more secure computing, is to draw in our public disclosure deadline.

In a presentation at RSA today, we announced that vendors are asked to develop a fix for a reported vulnerability within 120 days of receiving our product vulnerability report. This begins with reports received on or after March 1.  Historically, we have requested that vendors work to develop a fix for the reported product vulnerability, within 180 days of receiving our product vulnerability report.


Why change?
Our purpose in changing the policy is to push vendors to decrease the amount of time it takes them to react to responsibly disclosed vulnerabilities and to reduce the attack surface faster.  We know the public is already at risk. The vulnerabilities exist.  Researchers, white hats - and black hats - are actively looking for them every day.


Is this realistic for large vendors?
The evidence is, absolutely!  They are actually responding in closer to 120 days already.  It seems that we have grown together…


In 2010:
• ZDI was publishing around 100 vulnerabilities a year
• 30% of them were > 365 days
• To address sluggish or non-existent response by vendors, the ZDI instituted a 180-day public disclosure policy

In 2011:
• Every one of the “Top 10” vendors had at least 1 vulnerability >180 days

In 2013:
• Only 6 vendors had 1+ vulnerability > 180 days
• 5 vendors averaged > 120 days
• Only 2 averaged > 180 days

Overall, vendor timelines are greatly reduced.  We thank these vendor partners for their increased commitment to secure coding and regular patching.  We look forward to continuous growth and improvement together.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.