Within the security researcher community, the Zero Day Initiative (ZDI) program is a well-known entity, representing the world’s largest vendor agnostic bug bounty program. Customers of the TippingPoint Intrusion Prevention Systems (IPS) and Threat Protection Systems (TPS) know the ZDI as the group that buys 0-days so they have protections before the affected vendor releases a patch. Outside of those communities, there may be misconceptions about what happens behind the scenes when dealing with so many bugs.
At a high level, here’s how the program works. An independent researcher finds an otherwise unknown vulnerability (e.g. 0-day) in a piece of software and reports that to the ZDI. The researcher can be from just about anywhere – we have worked with more than 3,000 different researchers from 80+ countries. Being vendor agnostic means the software can be just about anything, too. In 2016, the ZDI purchased 0-days impacting 49 different vendors, including large vendors like Microsoft and Adobe as well as small, industry specific vendors like those in the SCADA realm. Once the bugs are verified by our internal researchers, we buy the bug – offering a variable price based on many factors (i.e. quality of the write-up, ubiquity of the target, ease of exploit, etc.).
Now that we confirmed the bug is real, two different things happen. First, the Digital Vaccine team creates filters for Trend Micro customers, which provides them an overage of 57 days of protection against these 0-days before anyone else. Perhaps more importantly, the bug is then disclosed to the vendor. The ZDI team works with the vendor to ensure a security patch is developed and released to the public. So even if you don’t use any Trend Micro products, your enterprise security is strengthened by the ZDI program. How often does this occur? Well, for the past three years, the ZDI has been the number one supplier of bugs to Microsoft, Adobe, and SCADA vendors amongst others. That equates to more than 2,100 patches just since 2014, and we’ve been doing this since 2005.
Another group familiar with the ZDI program are the vendors receiving our bug reports. Although it may seem to be an adversarial relationship, we do everything we can to assist vendors throughout the process. And vendor size or name recognition doesn’t matter to us – we strive to treat all vendors equitably. We provide accountability to both customers and researchers by listing when vulnerabilities are reported, which is not done by other bug bounty programs. After 120 days, if the vendor hasn’t made a patch available, we release additional information about the bug so that enterprises can gauge the risk to their systems. Unlike some, if the vendor is making significant progress towards a patch, we do extend this deadline provided real work is being done. In fact, there are some that consider us the cheapest and friendliest code audit they didn’t know to ask for, and we’re just fine with that.
Researchers from the ZDI also run the annual Pwn2Own competition, which just celebrated its 10th anniversary. Starting with a simple laptop that had to be exploited (e.g. pwned), a successful attempt earned the researcher the target laptop (thus the own). From those humble beginnings, the contest has evolved into a premier event impacting the security design of the participating targets. The level of difficulty ratchets up, as well. For standard reports through the program, a simple description and demonstration suffices. For Pwn2Own, a fully-functional exploit chain is required for a win. Of course, the prices go up for higher quality exploits, too. This year we awarded $833,000 USD in three days while acquiring 51 new 0-day bugs. These bugs go beyond simple patches. Vendors began implementing defense-in-depth measures and additional protections based on the results of the contest – making each new Pwn2Own more difficult than the last. These improvements reach consumers and enterprise users through updates, making their systems more resilient, as well.
Though little known outside specific circles, the ZDI program has wide-ranging impacts. The program assists in the coordinated disclosure of vulnerabilities, which gives affected vendors the opportunity to issue patches to the public before the bugs are used maliciously. By providing public notification dates, we provide accountability to help ensure vendors don’t ignore researcher reports. The resulting patches and program improvements positively impact the community at large, even though they might not have realized where the research originated. As seen in recent ransomware attacks, proper patch management can be the difference between a nuisance and a multimillion-dollar recovery.
There is no such thing as secure software – at least not any software that actually does anything. As the industry and software itself evolves, we’ll continue to evolve with it. Our goal continues to be finding and disclosing security bugs in popular software, working with independent researchers from around the globe, and reporting these findings to the vendors so they can fix things in a timely manner. It might not always be easy, but it will continue to be worth doing – whether everyone realizes it or not.