Trend Micro's Zero Day Initiative (ZDI) announced changes to its bug bounty program in a move designed to prompt vendors take a quicker action when it comes to ineffective patches.
For that reason, ZDI introduced new vulnerability disclosure timelines for vulnerabilities that result from faulty or incomplete patches, as well as a new tiered approach based on the severity of the flaw and the efficacy of the original fix. The ZDI also noted that its standard 120-day disclosure timeline will remain.
Previously, the initiative reduced its disclosure timeline from 180 to 120 days, and said that the move helped to reduce the vendor’s overall time-to-fix.
According to the new strategy, the ZDI will give vendors 30 days to fix critical vulnerabilities where exploitation is expected, 60 days for critical and high-severity bugs where the preexisting patch provides some protection, and 90 days for lower-severity flaws where no immediate exploitation is expected.
“Moving forward, we will be tracking failed patches more closely and will make future policy adjustments based on the data we collect,” the initiative said.
ZDI also announced a new Twitter handle @thezdibugs, which will be publishing only advisories pertaining to zero-day vulnerabilities, high-risk bugs, and Pwn2Own flaws.