Ten of the 29 were bugs in IBM software, six in HP's own software and five were in Microsoft products.
IBM and HP never patched the 16 vulnerabilities, some reported by ZDI two or even three years earlier, that were disclosed in the bounty-paying program's zero-day advisories.
Portnoy and Brown also credited the pressure of a six-month deadline for ZDI's record-setting year. So far during 2011, TippingPoint's cadre of independent researchers had generated 350 vulnerability reports, up 16% from the 301 of 2010, said Brown.