17 August 2022

Zero Day Initiative cuts some vulnerability disclosure timelines


Zero Day Initiative cuts some vulnerability disclosure timelines

Trend Micro's Zero Day Initiative (ZDI) announced changes to its bug bounty program in a move designed to prompt vendors take a quicker action when it comes to ineffective patches.

For that reason, ZDI introduced new vulnerability disclosure timelines for vulnerabilities that result from faulty or incomplete patches, as well as a new tiered approach based on the severity of the flaw and the efficacy of the original fix. The ZDI also noted that its standard 120-day disclosure timeline will remain.

Previously, the initiative reduced its disclosure timeline from 180 to 120 days, and said that the move helped to reduce the vendor’s overall time-to-fix.

According to the new strategy, the ZDI will give vendors 30 days to fix critical vulnerabilities where exploitation is expected, 60 days for critical and high-severity bugs where the preexisting patch provides some protection, and 90 days for lower-severity flaws where no immediate exploitation is expected.

“Moving forward, we will be tracking failed patches more closely and will make future policy adjustments based on the data we collect,” the initiative said.

ZDI also announced a new Twitter handle @thezdibugs, which will be publishing only advisories pertaining to zero-day vulnerabilities, high-risk bugs, and Pwn2Own flaws.

Back to the list

Latest Posts

Cyber security week in review: September 23, 2022

Cyber security week in review: September 23, 2022

The world in brief: Cryptomarket maker Wintermute robbed of $160M in a hack, old Python bug potentially affects 350,000 open-source projects, and more.
23 September 2022
Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

Unpatched 15-year-old Python vulnerability puts at risk over 350,000 open-source projects

The vulnerable Python tarfile module is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google and other software.
22 September 2022
Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

Malicious actors continue to abuse Google Tag Manager tool to install e-skimmers

The researchers said they discovered three variants of malicious scripts hidden within GTM containers that function either as e-skimmers or as downloaders for installing e-skimmers.
21 September 2022