Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Vulnerability Broker Applies Pressure on Software Vendors Shipping Faulty, Incomplete Patches

Trend Micro’s Zero Day Initiative, a major player in the vulnerability disclosure ecosystem, is ramping up the pressure on software vendors that consistently ship faulty security patches.

Trend Micro’s Zero Day Initiative, a major player in the vulnerability disclosure ecosystem, is ramping up the pressure on software vendors that consistently ship faulty security patches.

In a major revision of its disclosure policies, the vulnerability broker said it will set strict 30-day deadlines for critical-level bug reports that result from faulty or incomplete patches as part of a deliberate effort to reverse a disturbing trend around patch quality and transparency around vendor communications.

“Over the last few years, we’ve noticed a disturbing trend – a decrease in patch quality and a reduction in communications surrounding the patch. This has resulted in enterprises losing their ability to accurately estimate the risk to their systems,” ZDI said in a note announcing the disclosure timeline policy change.

In an interview with SecurityWeek, ZDI spokesman Dustin Childs said the company will implement a tiered approach based on the severity of the bug and the efficacy of the original fix. 

On the first tier, an aggressive 30-day timeframe will be applied for more critical-rated cases where exploitation is detected or likely to happen.  Childs said ZDI will implement 60-day deadlines for critical- and high-severity bugs where the patch offers some protections and a 90-day window for vulnerabilities no imminent exploitation is expected. 

[ READ: Did Microsoft Botch the PrintNightmare Patch? ]

The vulnerability wholesaler typically gives companies up to 120 days to patch security vulnerabilities bought from bug-bounty hackers and Childs said aggressive deadlines is one of the few tools available to influence software vendors.

Over the last 18 months, Childs said ZDI bug bounty data shows a dramatic surge in submissions related to faulty patches that are easy to bypass or fail to fix the underlying vulnerability.

“We’re seeing between 10% and 20% of all bugs we’ve purchased come from bad patches.  We’re seeing it across the board, not just in our regular bug bounty program, but at Pwn2Own and other submissions, it’s a significant problem,” Childs said.

“The problem has always been there but it’s gotten so much worse,” Childs said, noting that software vendors are rushing to automate the vulnerability reporting process with negative side effects. 

The ZDI spokesman lamented the push towards “API-driven vulnerability reporting” that removes humans from a sensitive part of the vulnerability reporting – and patch quality testing – processes. 

“Unfortunately, automation has these ugly side effects,” Childs said. “Instead of sending an email to a human, we’re now emailing an API that puts the information into a CRM and kicks out a tracking number.  There used to be a human behind the ‘[email protected]’ email box but that’s now gone.  We’re left with less communications on the patches, poor communications on how QA and testing are done, and faulty patches everywhere.

[ READ: Microsoft Takes Another Stab at PrintNightmare Security Fix ]

“We’re literally paying twice for bugs for bypasses that we’ve previously paid for.  Paying twice for bugs that are patched with a CVE,” Childs said, noting that the problem is pervasive across the industry.

During a Black Hat conference session in Las Vegas last week (download slides), Childs and ZDI colleagues shared data showing a surge in patches that make no effective changes (the vulnerability is still present after the vendor’s official patch is applied) and an ongoing issue where patches are bypassed mere hours after a patch is released.

The company identified faulty patches from a roster of major tech vendors, including Microsoft, Adobe, Google, Oracle, VMware, Cisco, Apple, HP and Dell.

Childs blamed a “lack of commitment” from vendors to sustained security engineering and response and an absence of transparency in communications or advisories.

“Enterprises no longer have a clear view of the true risk to their networks [and] spend additional time and money patching what they’ve already patched,” Childs explained, noting that an incomplete or faulty patch results in more risk than if there’s no patch at all.

He warned that the weaponization of failed patches and variants of already patched vulnerabilities are being used in the wild and urged enterprise defenders to look beyond Patch Tuesday when assessing organizational risk.

Related: Microsoft Confirms ‘PrintNightmare’ is New Security Flaw

Related: Did Microsoft Botch the PrintNightmare Patch?

Related: Microsoft Takes Another Stab at PrintNightmare Security Fix

Related: Already Exploited Zero-Day Headlines Microsoft Patch Tuesday

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.