The Zero Day Initiative (ZDI) was established by TrendMicro with the intention of promoting the responsible reporting of 0-day vulnerabilities to affected vendors, while financially rewarding the researchers who discover these vulnerabilities. This initiative was developed in response to a prevailing perception in the information security industry that individuals who find vulnerabilities are malicious hackers seeking to cause harm. However, it is important to note that while there are skilled malicious attackers, they represent only a small fraction of the overall number of people who uncover software flaws.
The ZDI’s primary objective is to supplement its internal research organizations with zero-day research and exploit intelligence from the global community of independent researchers. This collaborative approach led to the establishment of the ZDI on July 25, 2005.
At present, the ZDI operates as the largest vendor-agnostic bug bounty program in the world. Its approach to acquiring vulnerability information stands apart from other programs, as it refrains from publicly disclosing technical details about the vulnerability until the vendor releases a patch.
A notable event organized by the ZDI is Pwn2Own, which takes place in multiple countries. Recently, during the event held in Vancouver, Canada, contestants disclosed 27 unique zero-day vulnerabilities and collectively won a staggering amount of $1,035,000, along with a car. The Masters of Pwn, Synacktiv, achieved tremendous success and recognition for their outstanding work, earning 53 points, $530,000, and a Tesla Model 3.
It is important to emphasize that the ZDI does not engage in the reselling or redistribution of the vulnerabilities it acquires. Researchers who submit vulnerabilities through the ZDI program are relieved of the burden of tracking the bug with the vendor. The ZDI strives to collaborate with vendors to ensure a comprehensive understanding of the technical details and severity of reported security flaws. Consequently, researchers are free to explore and discover other bugs, while being informed of the progress of their current cases in terms of vendor disclosure. It is crucial to note that the ZDI will never withhold the disclosure of an acquired vulnerability because a product vendor does not wish to address it.
Researchers who are interested in participating in the ZDI program provide exclusive information about previously unpatched vulnerabilities they have identified. The ZDI then undertakes a comprehensive validation process to ensure the researcher’s identity for ethical and financial oversight. The organization’s internal researchers and analysts subsequently verify the reported issue in their security labs and make a monetary offer to the researcher. If the researcher accepts the offer, payment is swiftly made. Additionally, as researchers continue to uncover and provide additional vulnerability research, bonuses and rewards can be enhanced through a loyalty program akin to a frequent flier program.
Following the agreement for the acquisition of a researcher’s bug report, the ZDI develops and deploys protection filters for TrendMicro customers. Concurrently, the ZDI immediately notifies the affected vendor so that they can develop a vulnerability patch. The ZDI adheres to a disclosure policy that entails divulging all vulnerabilities acquired to product vendors. This policy ensures that both researchers and product vendors understand how the ZDI handles vulnerability information, instilling confidence in researchers that their discoveries will not be suppressed and assuring product vendors that a professional and standardized set of guidelines will be followed throughout the disclosure process.
Upon the development of a patch by the vendor, the ZDI collaboratively works with them to issue a joint advisory, acknowledging the originating researcher with full credit unless the researcher prefers to remain anonymous. Before the public disclosure of the vulnerability, the ZDI may choose to share technical details of the vulnerability with other security vendors. This facilitates the preparation of an appropriate security response for the customers of these vendors, extending the protection to a customer base larger than the ZDI’s own.
To maintain the confidentiality of a researcher’s vulnerability discovery until a vendor has developed a patch, TrendMicro customers are provided with a generic description of the provided filter, without disclosing the vulnerability itself. Once details are publicly shared in coordination with the vendor, an updated description is made available for customers to identify the appropriate filters that had been protecting them. In other words, while customers are protected from the vulnerability in advance, they will not have knowledge of the vulnerability itself.
For those who wish to learn more about the Zero Day Initiative, further information can be found on their website at https://www.zerodayinitiative.com/.
About the Author:
Gary Miliefsky, an internationally recognized cybersecurity expert, bestselling author, and keynote speaker, is the Founder of the US Department of Homeland Security and has served on the National Information Security Group and the OVAL advisory board of MITRE responsible for the CVE Program. Since 2012, he has been the Publisher of Cyber Defense Magazine. To learn more about Gary, visit https://www.cyberdefensemagazine.com/.