Wednesday, February 9, 2011

Hooray for Accountability (ZDI Drops 22 0day)

Well, it's February 2011, and the year is flying by already.  Quite frankly, I'm thrilled to see this story run and made a big deal out of -because if you're anything like me you're sick to your stomach from all the large software vendors that have been non-accountable for the crap they release.

The Register is running a story about how the ZDI has "spilled the beans" on 22 advisories, and some of the juicy details of the bugs.  Rather than waiting indefinitely for the vendor to decide whether they care to take the time to patch their software or not - ZDI has taken a stand and published the bugs just 180 days after confirming the vulnerability with the vendor.  I think that's fair, don't you?  6 months to analyze, identify, strategize and release a patch is plenty of time -even if you're a monster Fortune 100 corporation.

What I think is the bigger story, bigger than the 22 bugs released (one of which is of an unpatched flaw in the parent company, HP ...oh noes!) is that the ZDI changed their policy a while back so as not to wait indefinitely for a patch from the vendor before publishing the bugs.  Now, it's 180 days, and time to pay the piper... and you have to hold them in high regard for that.

If you'd like to see the disclosure on the ZDI blog, check it out here ...companies include EMC, Novell, CA, SCO, HP and of course IBM.

In all the buzz and press around this release, I think it's critical to remember one thing - accountability is paramount.  If you don't hold yourself accountable ...the ZDI boys and girls will.

No comments: