July 2015 marked the 10th anniversary of the Zero Day Initiative (ZDI), providing us with the opportunity to walk down memory lane. Most of you know that the ZDI is one of the world’s oldest vendor-agnostic bug bounty programs and that it’s owned by HP. That hasn’t always been the case. The ZDI originated at the Austin, Texas security start-up TippingPoint. Over the course of the past ten years, ZDI has maintained close ties with TippingPoint. Our partnership remains strong as we continue to protect customers through pre-disclosure filters based on ZDI research and bounties. It has done so through two acquisitions and ultimately ending up at HP in 2010. As we start our 11th year, you can still call us “ZDI” (or Zed-D-I for our global researchers).
Over the life of the program, our principles remained the same. This has allowed the program to flourish. What many may not know is that this program is bigger than the people running it. I like to think of ZDI as a living entity that can survive the normal corporate churn of headcount, and it has. Internally, we often talk about when milestones occurred by saying “that was during ZDI 1.0/2.0/3.0.” Yes, as of today, we are on the third iteration of ZDI. The demarcation of each comes with the changing of leadership. While ZDI 3.0 doesn’t talk about its internal size and structure publicly (the program is so much bigger than that), each ZDI version has a distinct personality that is a reflection of those in custodial care of it at the time. I will be using version numbers throughout this writing to denote some of our milestones and set them to a specific time period.
The early years: ZDI 1.0
Founded in July 2005, ZDI was created to protect the IT ecosystem by compensating independent researchers for submitting their finds to the program. The core principles the program was founded on remain the core principles we operate by today:
To accomplish these simple but lofty goals, the program implemented a few unique aspects to build loyalty and interest. Remember, this was 10 years ago — what was “unique” then has become the “norm” now. These included a web portal for submitting and tracking vulnerabilities, releasing no vuln details before a vendor patched, researcher verification, fast and easy payments, and a dedicated team of internal researchers vetting and reporting to vendors.
While working to gain researcher interest and loyalty on the one hand, the program was also working to establish contacts with the affected vendors. Gaining their trust was crucial to long-term success. Not surprisingly, conversations between vendors and ZDI have been both congenial and contentious – often during the same conversation. Ultimately, most have come to trust that we are helping them and our collective customers.
Expanding the program’s visibility, ZDI 1.0 launched the Pwn2Own contest at CanSecWest Security Conference in 2007. In the intervening years the contest has become one of the great equalizers by demonstrating that any code can be hacked.
During ZDI 1.0, the program continued to grow and gain respect in the industry, disclosing more than 900 vulnerabilities and paying out nearly $4M to researchers.
A brief word on ZDI 2.0
With the purchase of 3Com by Hewlett-Packard in 2010, there was a changing of the guard within the ZDI. The program remained a critical component along with TippingPoint’s DVLabs and largely went unchanged. Bounties were paid, patches were shipped, and zero days were dropped.
Where the notable changes occurred during this time was in Pwn2Own. The team, under the guidance of Aaron Portnoy, continued to run three-day contests during CanSecWest Security Conference and largely targeted web browsers, though there was an increased focus on mobile device vulnerabilities. In fact, the first ever successful mobile device exploit at Pwn2Own came in 2010 against the Apple iPhone 3GS. This was also the contest that experienced a large vendor patch release just nine days prior when Apple released 16 patches against WebKit and Safari. This would not be the last time that a vendor patch prior to a contest caused researcher heartburn. With rules defining the “latest version” as criteria for success there have been many long nights immediately preceding the contest to ensure exploits would still work. Those that were “patched out” withdrew their entries.
Continuing to take vulnerabilities out of play resulted in more than 700 disclosures and just over $1.5M to researchers.
Which brings us to today’s team. The program has seen some of its greatest accomplishments (most advisories in a single year, winning the Microsoft Mitigation Bypass Bounty and the BlueHat Bonus for Defense awards) and its toughest time. One of the oddest program moments came in August 2012 when the ZDI dropped 17 zero days against HP. As you might expect, dropping zero days on your own corporation can cause quite a stir.
While Pwn2Own (P2O) continued to run each March, we saw the spin-off of mobile devices to its own contest. Launched at EUSecWest Security Conference 2012, Mobile Pwn2Own (mP2O) offered $200K in prizes for demonstrated vulnerabilities in Apple iOS, BlackBerry, and Android. Not stopping there, mP2O continued to grow with 2014 handing out more than double the first prize package. Of course, P2O also saw its biggest year in 2014 with $850,000 in payouts and more than 30 vulnerabilities.
The team hasn’t just been putting on contests and disclosing vulnerabilities; they have been traveling the globe presenting their own research at some of the most respected security conferences in the world. All told, the team has posted some impressive accomplishments with more than 1,200 disclosures and paying out just shy of $4 million.
Ever-changing world in which we live in
During the life of ZDI, we’ve witnessed the world change quite a bit. When the team was first formed, most of the population didn’t know what a breach was or that there were careers in cyber-security. We’ve seen researchers step into the spotlight and we’ve seen them shun publicity. There have been laws around research, copyrights, exports, and many other topics. Today, with the “Year of the Breach” just past us, there is more legislation in the US congressional pipeline than ever before, all trying to define “good hackers” and “bad hackers.” Those of us in the ZDI think we have a pretty good handle on the definitions and continue to be humbled by the talent and passion of those choosing to participate in our program.
This talent and passion is amply demonstrated by a couple of researchers who submitted to ZDI before they became members of our internal team.
Researchers speak up
Abdul-Aziz Hariri (@abdhariri) started at the very beginning of the program submitting his first case in 2005. One of our more prolific submitters, Abdul-Aziz is responsible for more than 5% of all submissions to the ZDI. While quantity may seem like a good approach, it is actually quality that gets you noticed, at least in terms of payouts. Of course, quality doesn’t come easy. It takes years of trial and error, learning and developing tools, and a deep, deep technical understanding of assembly. Abdul-Aziz tells of his start when one of his friends was hacked in 2000. This got him interested in security and led to vulnerability research, which eventually led to working for the ZDI and submitting to other bounty programs. When asked what one thing he wanted people to know about ZDI he says,
“For the past 10 years, ZDI paid researchers millions of dollars. All the vulnerabilities were disclosed to the vendors. ZDI does NOT sell the bugs to anyone. ZDI simply discloses the bugs to vendors and generates Digital Vaccine filters for the TippingPoint solutions.”
Expressing similar sentiments is another stand-out researcher, Simon Zuckerbraun (@HexKitchen).
“ZDI takes vulnerabilities off the market, which results in a higher barrier to entry for every criminal operation that wants to compromise your systems. Haven’t had an incident? It’s possible that you have ZDI to thank.” Simon began submitting in 2009 and states that being a vulnerability researcher affords him the opportunity to act out his “inner supervillain, sans the guilt.”
In all seriousness, the drive behind researchers submitting to ZDI and eventually working for the program comes from an unwavering moral compass and a drive to “do good.”
There’s no arguing that the ZDI has had a tremendous positive effect in securing the landscape by bringing researchers and vendors together and setting the standard for coordinated disclosure. Rest assured that this won’t change as we start our 11th year. In the coming years, the only prediction we could accurately make is that the information security industry will continue to change. However, we suspect the vulnerability market will continue to evolve as more and more vendors announce their own programs to incentivize research. We also anticipate regulations and legislation to impact the nature of disclosure, and not necessarily in a positive manner. While we must evolve as the industry evolves, it is our goal to continue to find and disclose security bugs in popular software, to work with a growing number of independent researchers from around the globe, and disclose these findings to the vendors so they can fix things in a timely manner. It might not always be easy, but it will continue to be worth doing.
In closing, here is one last thought from Simon:
“Infosec has become incredibly important, as recent news amply demonstrates. As a society that depends heavily on technology we need to do much more to ensure that vendors ship securely designed products and are responsive to reports of vulnerabilities. Progress in this area tends to be quite difficult. One highly welcome development is the proliferation of bug bounty programs that has occurred over the past few years. On the other hand, a looming threat is that new government regulations as per the Wassenaar Arrangement will have the inadvertent effect of suppressing security research.”
Stay tuned for fun facts and more research as we continue to celebrate this amazing program.