In association with heise online

08 February 2011, 16:25

ZDI names and shames security vulnerabilities from Microsoft, IBM, HP and Novell

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

ZDI Logo Six months ago, the Zero Day Initiative (ZDI) announced that it would no longer tolerate vendors taking a long time to fix security flaws in their products and would release information on vulnerabilities after a maximum of 180 days. They've now lived up to their promise and released information on 22 long-running security problems.

ZDI rewards security experts for finding security vulnerabilities so it can be the first to utilise the information. It also takes responsibility for informing vendors of vulnerabilities so it can, where possible, publish information on fixing them, in concert with the vendor. However, vendors have been known to take over a year to produce a patch and consent to publication. Because this extended delay represents an unnecessary risk for users, ZDI announced that it would, in future make, information on vulnerabilities public after a maximum of 180 days.

The 22 security vulnerabilities it has now disclosed relate to products from Microsoft, IBM, Novell, CA, EMC and even ZDI's parent company HP. Affected products include Lotus Notes, PowerPoint and Excel. These vulnerabilities are definitely be taken seriously, as ZDI usually carries out careful checks to ensure that the problems described are genuine security issues. To receive the full reward, discoverers of vulnerabilities are usually required to supply a demo exploit. The vulnerabilities in the published list even include issues scoring the maximum 10 points on the Common Vulnerability Scoring System (CVSS) scale.

ZDI published advisories:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit