Although HP is one of the greatest manufacturers today, HP still faces all sorts of security flaws just like other major manufacturers and developers on the market. Manufacturers usually share their new found vulnerabilities with public, but that’s not always a good idea because when vulnerability is publicly disclosed it can attract all sorts of malicious users that want to exploit it. This is the main reason many companies are having zero-day vulnerability policy because that’s the safest way to work on and to fix the security flaws with its products. As you might know, HP offers paid bounty to all independent security researchers that manage to discover these zero-day vulnerabilities. Although this zero-day vulnerability policy has been working well for the past five years HP has decided to change its terms because some vendors aren’t fixing their flaws on time.
Aaron Portnoy, HP’s manager of security research says that HP has always been supportive of nondisclosure policy because that the simplest way to hide security flaws from hackers and other malicious users that want to exploit them. That way security flaws are being kept in secret from the public until the vendors fix them. This was a good way to keep its products safe from hackers but it also takes a lot of time to fix the flaws because vendors could easily make their own time frames that way. Some developers have been working on their flaws for years and HP has decided to put some pressure on them, therefore each vendor will have a specific time frame to fix the security flaws with its products. That time frame will last for six months and if vendors fail to fix the flaws by that time, the flaws would be disclosed publicly. This improved zero-day vulnerability policy sounds promising, but we’ll have to wait in order to see how it works in practice.