TippingPoint came under the HP umbrella as a result of the acquisition of 3Com.
TippingPoint's previous practice has been to give vendors "a reasonable period of time develop a fix to the identified vulnerability" according to the specific circumstances.
The company has now set a time limit of six months, after which it will publish "limited details of the vulnerabilities so end-users can take precautionary measures." HP officials said the purpose of the change was to encourage vendors to fix affected software quickly, reducing the risk of potential security attacks.
"Comprehensive protection of critical data assets requires organisations to keep their defences up to date as malicious activity reaches new levels and applications become more complex,' said Aaron Portnoy, manager, Security Research, TippingPoint, HP.
"This policy change is critical for staying ahead of threats so users can reduce data, financial and productivity loss," he added.
So which vendors are currently taking more than six months to patch vulnerabilities? You might be in for a surprise if you read on.
There's a cluster of HP vulnerabilities that were notified around 18 months ago, but the dubious honour of the oldest unpatched vulnerability on the ZDI list goes to IBM, with one that was notified to the company in mid 2007.
But according to a tweet from ZDI, the six-month 'fix or we'll disclose' threat will not be applied retroactively, so TippingPoint's colleagues in other parts of HP can breath a sigh of relief.