IBM, Hewlett-Packard and Microsoft led the list of companies that failed to patch vulnerabilities after being notified by the world's largest bug-bounty program, according to the TippingPoint Zero-Day Initiative (ZDI).
During 2011, TippingPoint -- a division of HP -- released 29 "zero-day" advisories that had information about vulnerabilities the company had reported to IT vendors six or more months earlier. Ten of the 29 were bugs in IBM software, six were in HP applications and five, later patched, were in Microsoft products.
Other vendors on the late-to-patch list included CA, Cisco and EMC.
TippingPoint, which sponsors the Pwn2Own hacking contest, buys information about vulnerabilities from independent security researchers and privately reports them to vendors. It uses the information to craft defenses for its own line of security appliances.
In mid-2010, TippingPoint announced that it would go public with advisories that included "limited details" of reported vulnerabilities if vendors didn't patch them within six months.
TippingPoint released its first zero-day advisory on Feb. 7, 2011.
Last year, TippingPoint said it was using the six-month deadline to push software developers to release patches faster. "By releasing some information, it puts the spotlight on vendors," said Aaron Portnoy, the leader of TippingPoint's security research team.
Portnoy and Derek Brown, a ZDI researcher, said the pressure has worked, more or less. "We've seen a better response," Brown said. "If it doesn't look like they're making a commitment to patching, we release the information."
"It puts pressure on the vendors to patch their products, because the number of unpatched vulnerabilities can change the perception of the product's security," Portnoy argued.
As of late December, TippingPoint's independent researchers generated 350 vulnerability reports, up 16% from 301 a year earlier.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about security in Computerworld's Security Topic Center.