Today, there remains a perception within the information security industry that vulnerability researchers are malicious hackers looking to do harm. While there clearly are malicious people out there, they remain a small minority of the total number of those who actually discover new software vulnerabilities. In reality, the number of benevolent researchers with the expertise required to discover a software vulnerability is a sizeable and growing population. The dissemination of publicly available vulnerability analysis and discovery tools has helped foster this group of security enthusiasts. Also, it is not uncommon for “white hat” security professionals to stumble onto a new flaw while doing their day-to-day security work.
While our own researchers find many vulnerabilities on their own, it made sense to augment their efforts by leveraging the methodologies, expertise, and time of others through the Zero Day Initiative (ZDI). To accomplish this, we encouraged the reporting of zero day vulnerabilities financially rewarding researchers. Those who discover 0-day (e.g. previously unknown) bugs can submit them to the ZDI program and receive monetary compensation for doing so. As a researcher discovers and provides additional research, bonuses and rewards can increase through a loyalty program similar to a frequent flier program.
Once the bug is confirmed by our researchers, teams work to develop filters for the report so that customers of TippingPoint remain protected while the bug is being corrected by the vendor. The ZDI then discloses the information about the bug to the affected vendor so that they can build and distribute a security patch. Once a patch is ready from the affected vendor, ZDI researchers work collaboratively with the vendor to notify the public of the vulnerability through a joint advisory that provides full credit to the originating researcher, unless the researcher chooses to remain anonymous.
Our disclosure policy reassures researchers and customers that the reported bug will not be “swept under the rug” by the vendor. It also reassures product vendors that there is a professional and standard set of guidelines they can expect to be utilized throughout the disclosure process. This policy and our process have continued over 10 years and resulted in the ZDI program becoming the world’s largest vendor agnostic bug bounty program. In that time, the ZDI has had a tremendous positive effect in securing the landscape by bringing researchers and vendors together and setting the standard for coordinated disclosure. In all, more than 3,500 0-days have been patched through the program.
As we move forward, we expect the vulnerability market to evolve as more and more vendors announce their own programs to incentivize research. We also anticipate regulations and legislation to impact the nature of disclosure, and not necessarily in a positive manner. While we evolve as the industry evolves, our goal continues to be finding and disclosing security bugs in popular software, working with independent researchers from around the globe, and reporting these findings to the vendors so they can fix things in a timely manner. It might not always be easy, but it will continue to be worth doing.