Network security vendor TippingPoint announced it has removed 30 zero day threats, is resolving 29, and has signed 400 security researchers to its Zero Day Initiative (ZDI) program.
The threats are posted on the ZDI portal, which was created last year. During this time the program has dealt with threats for products from Microsoft applications, Mozilla, Symantec, Novell, Adobe and Apple. Until a patch is released, the TippingPoint Research Team (TSRT) keeps threat details confidential to avoid exploitation by hackers.
TippingPoint director of security research, David Endler said although the TSRT remove technical details from published pending threats, responsibility lies with the vendor in reporting and evaluation.
"Many of these vulnerabilities are still unresolved after six months or more after initial reporting; responsible disclosure only works well when the affected product vendor makes a concerted effort to evaluate and address a reported flaw," Endler said.
"As long as a zero day issue remains unresolved, the danger increases to that affected vendor's customer base; we hold the vendor community accountable to the same standards that they expect from the security research community.
"Over the past year, the most resounding suggestion from our ZDI researchers was to add more transparency to our program by publishing the pipeline of vendors with pending zero day vulnerabilities."
ZDI participants notify TippingPoint, which informs the product vendor of the threat. A Digital Vaccine is created for clients to 'address specific exploits' and 'potential attack permutations' by using security filters such as traffic anomaly and vulnerability-based filters, and attack signatures for viruses.
Pending and resolved vulnerabilities and TSRT statistics are available at http://www.zerodayinitiative.com/advisories.html.