"Bug Bounty Giant Slams Quality of Vendor Patching"

The world’s largest vendor-agnostic bug bounty program  Zero Day Initiative (ZDI), has warned that poor quality vendor patching is exposing organizations to unnecessary extra risk and could be costing them upwards of $400,000 per update.  Trend Micro’s ZDI was responsible for nearly 64% of all vulnerabilities disclosed in 2021.  The organization has warned of a significant decline in both the quality of patches and vendor communication with customers.  The ZDI has disclosed over 10,000 vulnerabilities to vendors since 2005, but the researchers stated that they have never been more concerned about the state of security patches across the industry.  The researchers said that vendors that release inadequate patches with confusing advisories are costing their customers significant time and money and adding unnecessary business risk.  The researchers noted that by failing to present customers with authoritative information in plain English, vendors are leaving network defenders unable to accurately gauge their risk exposure.  The researchers stated that by releasing faulty or incomplete patches, organizations might think they’re protected when they’re not.  Organizations will also likely have to apply an additional patch to fix issues in the original patch, costing extra time and money that are in limited supply.  Because of the worsening situation, the ZDI announced changes to its disclosure policy.  The ZDI stated that its standard 120-day disclosure timeline for most vulnerabilities remains, but for bug reports that result from faulty or incomplete patches, they will use a shorter timeline.  Moving forward, the ZDI will adopt a tiered approach based on the severity of the bug and the efficacy of the original fix.  This could mean critical severity bugs, where exploitation is expected, and patches can be easily circumvented, will be disclosed by ZDI in just 30 days.
 

Infosecurity reports: "Bug Bounty Giant Slams Quality of Vendor Patching"