The whole purpose Vulnerability disclosure is about notifying software developers of flaws in their code so they can create fixes or patches and improve the security of their products. But after 17 years and more than 10,000 vulnerability disclosures, the Zero Day Initiative is identifying a “disturbing trend” today at the Black Hat security conference in Las Vegas and announcing a plan to put some pressure on it.
Owned by security firm Trend Micro since 2015, ZDI is a program that buys vulnerability findings from researchers and handles disclosures to vendors. In exchange, Trend Micro, which makes antivirus and other security products, gets a ton of information and telemetry it can use to track research and hopefully protect its customers. The group estimates it has processed about 1,700 disclosures this year. But ZDI warns that a bird’s-eye view has found that the quality of vendor patches has generally declined in recent years.
More and more often, a group buys a bug from a researcher, gets patched, and then soon after ZDI buys another report on how to get around the patch, sometimes with multiple rounds of patching and workarounds. ZDI also reports that it has noticed a worrying trend of companies disclosing less specific information about vulnerabilities in their public security alerts, making it difficult for users around the world to assess the severity of vulnerabilities and prioritize fixes – a real concern for large organizations and critical infrastructure.
“Over the past few years, we’ve really noticed a marked decline in the quality of security patches,” says ZDI member Dustin Childs. “There is no responsibility for incomplete or faulty patches.”
ZDI researchers say bad patches occur for a variety of reasons. Figuring out how to fix software flaws can be a complex and delicate process, and sometimes companies lack the experience or investment in creating elegant solutions to these critical problems. Organizations may be in a rush to close bug reports and clean up their backlog, and they may not take the necessary time to conduct “root cause” or “variable” analysis and assess underlying issues so that deeper problems can be fixed.
Whatever the reason, bad patches are a real concern. In late June, Google’s Project Zero bug-finding team found that at least half of the new vulnerabilities it tracked used by attackers in the wild through 2022 were variants of previously fixed flaws.
“A combination of things over time has led us to believe that we actually have a bigger problem than most people realize,” says Brian Gorentz, who runs ZDI.
Like other organizations active in disclosure, notably including Project Zero, ZDI gives developers a deadline by which they must release a patch before details of the vulnerability in question are made public. The standard ZDI term is 120 days from the date of disclosure. But in response to the epidemic of bad patches, the team is today announcing a new set of terms for bugs that were previously fixed.
Depending on the severity of the flaw, how easy it is to bypass the patch, and the likelihood of attackers exploiting the vulnerability, ZDI believes the group will now set deadlines of 30 days for critical flaws and 60 days for bugs where an existing patch provides some protection, and 90 days for all other cases. The move follows a tradition of using public disclosure as an important lever — one of the few security advocates — to push for needed improvements in how developers handle serious software flaws that could potentially affect users around the world.
“The arsenal of failed patches in various vulnerabilities is absolutely being used in the wild right now,” says ZDI’s Childs. “This is a real issue that has real consequences for the user, and we’re trying to incentivize vendors to get it right the first time.”