Over the last 10 years, the Zero Day Initiative (ZDI) established itself as the world’s premier vendor-agnostic bug bounty program. Of course, you don’t get to say that unless you’ve seen a massive amount of bugs, which the ZDI certainly has. When you compile that much data on bugs, a few things tend to stand out. As we celebrate a milestone anniversary, we wanted to share ten fascinating facts we feel best represents a decade of bug submissions.
And as with any top 10 list, number four will shock you!
1. In the beginning, there was…backup?
The first advisory released by the ZDI in 2005 wasn’t for Microsoft, Apple, or Mozilla. It was for Symantec’s VERITAS NetBackup program. Released on October 12, 2005, the first ZDI advisory detailed a remote code execution vulnerability and provided information on where people could find the patch to correct it. Since that time, the ZDI has published over 2,000 more advisories detailing vulnerabilities across a wide range of software.
2. The big vendors are popular, but they’re not alone
We see quite a variety of vendors represented in submissions to the program. As most would suspect, the majority of the submissions come in for the vendors who have the most software (or the broadest market share). Microsoft, Apple, and Adobe account for 35% of all submissions to the program, with HP, Oracle, and Novell following close behind. But it’s not just the big guys who have vulnerabilities. The “others” category represents 33% of all submissions and includes Agilent Technologies, AOL (yes, that AOL), BitTorrent, GE, GoPro, Lexmark, Motorola, Panasonic, QUALCOMM, Red Hat, SAP, Sun Microsystems, Valve, and Zend – just to name a few.
Figure 1 – Submissions by vendor
However, not all submissions become actual cases we report to vendors. When we take a closer look at what actually gets disclosed to a vendor, the numbers change – but only slightly.
Figure 2 – Disclosures by vendor
3. Back to school doesn’t mean back to research
While our business isn’t as seasonal as some, there is a marked decline in submissions through the months of August, September, and October.
Figure 3 – Submissions by month
4. But researchers do take the weekends off
Like many people, you probably take Saturday and Sunday to spend time with your family, see some friends, begrudgingly visit the in-laws, or get some work done around the house. So do researchers – at least when it comes to submitting vulnerabilities. Submissions to the ZDI drop significantly on weekends.
Figure 4 – Submissions by day
5. Browsers in the bullseye
Most people online tend to use a web browser more than any other web-enabled application. It’s no wonder web browsers are a popular target for researchers and attackers alike. A full 16% of all submissions to the ZDI are directly related to a browser. These browsers include Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Apple Safari, and Opera.
6. Speaking of Internet Explorer…
When you take a closer look at the Microsoft submissions, 56% were in versions of Internet Explorer, 20% were in an Office component (think Word, Excel, Outlook, etc.), 13% were in the operating system, and 11% were other assorted Microsoft components – including one submission for Minesweeper! Unfortunately, the bug submission for Minesweeper didn’t yield code execution, so we ended up not buying it.
Figure 5 – Breakdown of Microsoft submissions
7. Not all that glitters is gold
Not all submissions we receive actually become patches. In total, 42% of submissions end up being rejected. Reasons for rejection vary, but include things like: the bug is not valid, or the bug doesn’t lead to code execution (e.g. denial of service). Even legitimate bugs are rejected if they are intended and documented insecure configurations. In addition, most denial-of-service, post-authentication SQL injections, cross-site scripting (XSS) and/or any website vulnerability reports, post-authentication reports, duplicate reports, reports of bugs that are public (e.g. already posted the PoC on YouTube), or bugs that have already been reported to the vendor are also rejected.
8. Sorting through submissions takes time
On average, there are more than 30 days between the time the ZDI receives a submission and the time it’s disclosed to the vendor. This isn’t because of #4 (see above) — ZDI researchers aren’t just sitting around. The ZDI must triage each submission to ensure it’s an actual bug and meets the guidelines of the program (see #7). Once the ZDI researchers determine a submission is legit, they then take the time to fully document the bug before reporting it to the vendor. While the bug is being fixed, they must also be available to answer any questions the vendor may have about the bug. They do this all while still conducting their own research and submitting their own bugs, too.
9. Vendors are getting faster at fixing
In 2010, more that 30% of disclosures took over 365 days to be patched. To encourage vendors to move faster, the ZDI implemented a 180 day disclosure policy. If the fix wasn’t available after six months, the ZDI disclosed the information to the public. It worked. By 2013, only six vendors had a vulnerability older than 180 days and only five vendors averaged more than 120 days. In 2014, we dropped our disclosure time to 120 days based on this data, and we continue to watch this trend closely for the next inflection point that can help drive even more efficient patch release times.
10. Producing CVEs for the greater good
While TippingPoint customers get filters for ZDI disclosures as soon as the bugs are confirmed, everyone benefits from them. Over the last 10 years, over 2,000 Common Vulnerabilities and Disclosures (CVEs) directly resulted through the ZDI program. This equates to over 2,000 patches from vendors resolving security bugs. While some bugs were more significant than others, getting them fixed (or at least publicly known) increases the security for anyone living in the connected world.
We’re not done yet
As of August 2015, there were over 300 cases currently in the pipeline. While not all of these will end up as disclosures (see #7), the number of remaining cases demonstrates that even after 10 years, we’re not done. It’s a team effort –independent researchers continue finding new bugs, ZDI researchers continue to work their magic, and vendors keep patching.
Of course, none of these facts tell us what the next 10 years will bring, but with the explosion of cloud computing and the Internet of Things, we’ll have an entirely new set of fascinating facts to discuss 10 years from now. Until then, stay safe and follow us on Twitter for the latest updates from the ZDI.