TippingPoint on Monday marked the first anniversary of its bug bounty program by posting a list of more than two-dozen unpatched flaws in software made by such big name developers as Adobe, Apple, Microsoft, Sun, and Symantec.
An arm of 3com, TippingPoint debuted its Zero Day Initiative (ZDI) in July 2005 as the second ongoing bounty program; iDefense, now part of VeriSign, was the first. Since then, the Austin, Texas security company's ZDI has posted advisories on 30 vulnerabilities that were subsequently patched.
Its new list, however, is a departure for TippingPoint. "Over the past year, the most resounding suggestion from our ZDI researchers was to add more transparency to our program by publishing the pipeline of vendors with pending zero-day vulnerabilities," said David Endler, director of security research, in a statement.
Of the 22 ZDI-discovered and reported vulnerabilities on TippingPoint's list, 6 are for Microsoft products; 3 for Novell; and 2 each for Symantec, Apple, and Computer Associates. Other vendors represented include Citrix, IBM, and Adobe. Some of the flaws were reported to the appropriate vendor as long ago as 306 days, while 6 were only 14 days "old."
Six other vulnerabilities have been found by TippingPoint's own researchers, and at least one more will be posted to the list later this week.