When the Zero Day Initiative (ZDI) was formed in 2005, the cyber threat landscape was a bit different from what we see today. Threats were a little less sophisticated, but there was one thing that we saw then that we still see now: the shortage of cybersecurity professionals and researchers. The team decided that with ZDI, they could augment the internal team with the expertise of external researchers. In addition, ZDI would promote responsible vulnerability disclosure to affected vendors and protect our customers ahead of a vendor patch. As you probably suspected, the launch of ZDI was met with skepticism, with people saying things like “the ZDI is promoting hacking by creating a market for vulnerabilities” and “they’re going to fail,” but the team was determined to make this program work.
Fast forward to 2018. Now in its thirteenth year (coming up on July 25), the ZDI manages the largest vendor-agnostic bug bounty program in the world with over 3,500 external researchers complementing the internal team’s efforts. The surge of over 500 new registered researchers in the first half of 2018 alone is a testament to the appeal and benefits that the ZDI program offers to those who want to conduct responsible security research and be appropriately compensated for their efforts. Since the program’s inception, over $18 million USD has been awarded to external researchers. This is quite an accomplishment given that there was only one submission in the first year of the program. Contributions to the ZDI program have been growing steady since 2010 and in the first half of 2018, the ZDI published a record-breaking 600 advisories, paying researchers over $1 million USD.
But the benefits of ZDI go beyond the researcher community – Trend Micro customers also benefit from the vulnerability research conducted by the ZDI. The insights on threat and exploit trends that the team sees from external researchers, as well as their own internal research, has led to increased focus on SCADA and Industrial IoT (IIoT) vulnerabilities, which make up approximately 30% of submissions this year. The ZDI also works very closely with ICS-CERT and was the number one supplier of SCADA/ICS vulnerabilities in 2017. Trend Micro customers also benefit through preemptive protection for vulnerabilities that come through the ZDI program. Patch management is a constant headache for most organizations, and it can become a flat-out nightmare if a zero-day hits and you have hundreds of systems to patch. Filters that are created as a result of the exclusive access to vulnerability information from ZDI provide protection an average of 72 days before a patch is available and can play a key role in alleviating the patch management headache with a virtual patch at the network level while you work to update systems or wait for a vendor patch. Trend Micro is one of the few security vendors that has the breadth and depth of vulnerability research that results in this level of protection coverage. Does every vulnerability submitted to the program get exploited? No. But just like I carry automotive insurance “just in case” I get in a car accident, think of the ZDI program along the same lines – an extra level of protection “just in case” you can’t patch your systems in time in the event a vulnerability submitted through our program is exploited before a patch is issued by the affected vendor.
The continued growth of the Zero Day Initiative bug bounty program and leadership in vulnerability research can only lead to more secure products and more secure customers. Many vulnerabilities would continue to either remain behind closed doors, or be sold to the black market and used for corrupt purposes. Accountability is paramount to the program, and over the course of 13 years, the ZDI has worked to build trust with leading software vendors and the research community to promote the importance of security in the product development lifecycle. As the threat landscape evolves, the ZDI will evolve with it and stay on the forefront of vulnerability research to make our technology world a safer place.