The world’s largest vendor-agnostic bug bounty program has warned that poor quality vendor patching is exposing organizations to unnecessary extra risk and could be costing them upwards of $400,000 per update.
Trend Micro’s Zero Day Initiative (ZDI) was responsible for nearly 64% of all vulnerabilities disclosed in 2021.
However, the organization has warned of a significant decline in both the quality of patches and vendor communication with customers.
“The ZDI has disclosed over 10,000 vulnerabilities to vendors since 2005, but we've never been more concerned about the state of security patches across the industry,” argued ZDI boss Brian Gorenc.
“Vendors that release inadequate patches with confusing advisories are costing their customers significant time and money and adding unnecessary business risk."
By failing to present customers with authoritative information in plain English, vendors are leaving network defenders unable to accurately gauge their risk exposure, the ZDI claimed.
In addition, by releasing faulty or incomplete patches, organizations may think they’re protected when they’re not. They will also likely have to apply an additional patch to fix issues in the first one, costing extra time and money that are in limited supply, the ZDI said.
As a result of the worsening situation, the ZDI announced changes to its disclosure policy.
“Our standard 120-day disclosure timeline for most vulnerabilities remains, but for bug reports that result from faulty or incomplete patches, we will use a shorter timeline,” it said in a blog post.
“Moving forward, the ZDI will adopt a tiered approach based on the severity of the bug and the efficacy of the original fix.”
This could mean critical severity bugs, where exploitation is expected and patches can be easily circumvented, will be disclosed by ZDI in just 30 days.
Trend Micro recommended organizations to develop rigorous asset discovery and management programs, use only trustworthy vendors and conduct continuous risk assessments to mitigate these challenges.