The largest, vendor-agnostic bug bounty program in the world has warned that poor vendor patching could expose organizations to extra risk. This could lead to them spending upwards of $400,000 per upgrade.
Trend Micro’s Zero Day Initiative, (ZDI), was responsible for almost 64% of vulnerabilities that were disclosed in 2021.
The organization warned however of a decline in the quality of patches as well as vendor communication with customers.
Brian Gorenc, ZDI boss, stated that the ZDI had disclosed more than 10,000 vulnerabilities to vendors in 2005. However, he was not more concerned about security patches within the industry.
Read also: Penetration testing using IT
Vendors who release insufficient patches and confusing advisories to their customers are putting their customers at great risk.
The ZDI stated that vendors are failing to provide customers with clear English information, leaving them unable to accurately assess their risk exposure.
Organizations may also believe they are protected by releasing incomplete or faulty patches. The ZDI stated that they will likely need to apply another patch to correct issues in the previous one. This can add time and cost extra money.
The ZDI made changes to its disclosure policy in response to the situation that was getting worse.
It stated that while the standard 120-day disclosure timeframe for most vulnerabilities is still in effect, for bug reports resulting from incomplete or faulty patches, it will use a shorter timeline.
“The ZDI will continue to move forward with a tiered approach that is based on severity and efficacy of the original bug fix.”
ZDI will disclose this information in 30 days.
Trend Micro recommended that organizations develop robust asset discovery and management plans, only use trustworthy vendors, and conduct continuous risk assessments in order to mitigate these risks.