There’s a bit of debate over who actually first said “Never make predictions, especially about the future.” There’s no debate about the sentiment. You usually end up saying something completely forgettable or something that will make you look silly in retrospect. Rather than try to predict trends for 2017, let’s take a look back at some specific numbers and highlights from 2016.
Our Busiest Year – Our Favorite Things
The Zero Day Initiative (ZDI) published 674 advisories during 2016 – eight more than last year. Of these, 54 were published as 0-day. That means that 620 different issues were successfully coordinated with the vendor to release alongside a patch or other mitigation. In all, ZDI paid out almost $2,000,000 USD this year. The information provided to DVLabs generated more than 450 pre-disclosure filters to help protect customers from zero-day threats.
As with previous years, we worked with lots of talented researchers in 2016. Our program would not be successful without our community of researchers, and we thank them for their contributions. Rather than call out the most prolific or try to narrow down what counts as “best,” we did want to highlight a researcher who caught our attention with both the complexity of issues found as well as the breadth of products reported. That researcher is known simply as “kdot” and he is responsible for published advisories in Google Chrome, Adobe Reader, Microsoft PDF Library, and Foxit Reader. In all, kdot was responsible for 30 separate published advisories in 2016. We get excited to see someone who’s growing his skills and managed to find bugs in high profile targets.
We’d be remiss if we didn’t mention some of the other great researchers who made significant contributions to ZDI in 2016. Another researcher who contributed multiple, high-profile targets would be bee13oy of CloverSec Labs. He contributed to 18 different advisories in product from Microsoft, Adobe, Oracle, and AVG among others. The researcher known as rgod has been a significant contributor to ZDI over the years, and 2016 was no exception. He had 15 published advisories in products including Microsoft, Novell, Dell, and CA. He also has more than 70 cases in the upcoming queue, so we’ll be speaking of him for a while. Speaking of the upcoming advisories, Steven Seeley of Source Incite has over 100 cases waiting for the vendor resolution. This compliments his 20 advisories published in 2016 in Adobe, Foxit, and Microsoft products.
Not every report from these researchers were automatically accepted. In fact, nearly 43 percent of all submissions were rejected in 2016. Reasons for rejecting a submission vary (see our FAQ), but this rate of rejection is on par with previous years and much better than some other programs have claimed.
Beautiful Bugs Abound
Although we thought about it quite a bit, we couldn’t come to a consensus on our favorite bug of the year (BOTY). Here are a few of the BOTY candidates:
Vendors in the Spotlight
Our program also relies on vendors patching the vulnerabilities we report to them, and we thank them for the work they do as well.
As with 2015, this past year saw ZDI publish more advisories for Adobe software than any other vendor, with Adobe product counting for 149 of the 674 total advisories. In fact, Adobe products accounted for 22% of published advisories in both 2015 and 2016. This year also continued the trend of issues being reported in Adobe Reader and Acrobat in addition to reports of issues in Flash. This trend will likely continue as more and more browsers prevent Flash from running by default.
Here’s the overall breakdown of vendors ZDI published advisories for in 2016:
After taking 2015 off with no advisories at all, Advantech industrial systems ended up as the #2 most reported vendor with 112 advisories published. That equates to 17 percent of the published advisories. However, this doesn’t necessarily mean this vendor has a wide surface attack area. All of these cases came in through the same anonymous researcher, meaning the researcher found a specific type of bug prevalent in their systems. Interestingly, this particular researcher didn’t report any bugs in any other vendor this past year.
Microsoft ended up as the #3 vendor this year, but that doesn’t mean they had an easy year. In fact, the folks up in Redmond ended up publishing more security bulletins than in any previous year. They broke the record that they had previously set the year before, a record which stood only one year itself. The biggest change for Microsoft vulnerabilities was the continued targeting of browsers. Although Microsoft touted its new Edge browser as being significantly more secure than Internet Explorer, 64 percent of Microsoft advisories we published were related to browsers, down slight from 67.5 percent in 2015. Clearly, researchers are still finding browser bugs. What has changed significantly is the reduction of browser-related advisories dropping from 95 percent in 2014. Clearly this reduction was due to advances in the UAF protections introduced silently in 2014. Overall, Microsoft accounted for 11 percent of published ZDI advisories, down from 17 percent in 2015.
One truly interesting fact centered on the rise in advisories for Apple products, which made a significant jump this year. While only representing 4 percent of advisories in 2014 and 2015, Apple products rose to 9 percent in 2016 with 61 advisories. It will be interesting to see if this trend continues in 2017.
Staying Busy Findings Bugs
Researchers from the ZDI found some bugs of their own during 2016 as well. This is on top of the work they do to triaging submissions to ensure they meet the guidelines of the program. ZDI researchers also must fully document the bug before sending it off to the vendor. Even while the patch is being developed by the vendor, ZDI researcher make themselves available in case the vendor may have any questions about the bug. Of course, the Pwn2Own and Mobile Pwn2Own competitions require a lot of their focus and time too. The set-up, administration, and verification of bugs takes a significant invest of time well beyond the cash payouts.
Despite all of this, 12 percent of published advisories resulted from the work of ZDI researchers. This research ended up in several conference talks as well. Most notably, ZDI researchers presented at places like Black Hat, DefCon, Ruxcon, and Hushcon. ZDI researchers went around the world attending various conferences and even found time to talk to some university students about research and bug bounties. Even our ridiculous smoking jacket got in on the action with a cameo on an episode of Viceland’s Cyberwar. In other words, it was a pretty busy year for our internal researchers.
Future So Bright…
During 2016, the ZDI program transitioned from HPE to Trend Micro with the sale of TippingPoint. Although some may have had doubts, the program continues to be strong, and this coming year looks to be even better. By the end of the first week of January there will be over 400 upcoming advisories pending public disclosure. 2017 will also be the 10-year anniversary of Pwn2Own – more on that one very soon. Also be on the lookout for new enhancements and improvements to the ZDI program as we further refine what it means to run the world’s largest vendor agnostic bug bounty program. Maybe we’ll even get around to updating our website – it’s our New Year’s resolution. Until then, stay safe, stay tuned to this blog, and follow us on Twitter for the latest updates from the ZDI.