Zero Day Initiative

Last updated
Zero Day Initiative
TypeSoftware vulnerability program
Industry Cyber security
FoundedJuly 25, 2005;16 years ago (2005-07-25)
Owner Trend Micro
Website www.zerodayinitiative.com OOjs UI icon edit-ltr-progressive.svg

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. [1] The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015. [2]

Contents

ZDI buys various software vulnerabilities from independent security researchers, and then discloses these vulnerabilities to their original vendors for patching before making such information public.

History

ZDI was started on July 25, 2005 by TippingPoint and was initially led by David Endler and Pedram Amini. [3] The "zero-day" in ZDI's name refers to the first time, or Day Zero, when a vendor becomes aware of a vulnerability in a specific software. The program was launched to give cash rewards to software vulnerability researchers and hackers if they proved to find exploits in any variety of software. Due to lack of incentive and safety and confidentiality concerns, researchers and hackers are often deterred from approaching vendors when finding vulnerabilities in their software. ZDI was created as a third-party program to collect and incentivize finding such vulnerabilities, while protecting both the researchers and the sensitive information behind the vulnerabilities. [3]

ZDI contributors have found security vulnerabilities in products such as Firefox 3, [4] Microsoft Windows, [5] QuickTime for Windows, [6] and in a variety of Adobe products. [7] [8]

ZDI also conducts internal research for vulnerabilities and has found many in Adobe products, [9] Microsoft products, [10] [11] [12] VMware products, [13] and Oracle Java. [14] [15]

In 2016, ZDI was the top external supplier of bugs for both Microsoft and Adobe, having "purchased and disclosed 22% of publicly discovered Microsoft vulnerabilities and 28% of publicly disclosed vulnerabilities found in Adobe software." [16]

ZDI also adjudicates the Pwn2Own hacking competition which occurs three times a year, [17] where teams of hackers can take home cash prizes and software and hardware devices which they have successfully exploited.

Buying exploits

There has been criticism on the sale of software exploits, as well as on the entities who buy such vulnerabilities. Although the practice is legal, the ethics of the practice are always in question. Most critics are concerned about what can happen to software exploits once they are sold. [18] Hackers and researchers who find flaws in software can sell those vulnerabilities to either government agencies, third-party companies, on the black market, or to the software vendors themselves.

The fair market value versus black market value for software exploits greatly differ (often variable by tens of thousands of dollars), [19] as do the implications for purchasing software vulnerabilities. This combination of concerns has led to the rise of third-party programs such as ZDI and others as places to report and sell vulnerabilities for security researchers. [19]

ZDI receives submissions for vulnerabilities such as remote code execution, elevation of privilege, and information disclosure, but "it does not purchase every type of bug, including cross-site scripting (XSS) ones that dominate many bug bounty programs." [16]

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but does not have the malicious intent typical of a black hat hacker.

In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

In computer security, responsible disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched or mended. This period distinguishes the model from full disclosure.

A zero-day is a computer-software vulnerability unknown to those who should be interested in its mitigation. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit directed at a zero-day is called a zero-day exploit, or zero-day attack.

Pwnie Awards

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. The awards are presented yearly at the Black Hat Security Conference.

FireEye is a publicly traded cybersecurity company headquartered in Milpitas, California. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks. FireEye was founded in 2004.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in November 2019. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

Vupen Security was a French information security company founded in 2004 and based in Montpellier with a U.S. branch based in Annapolis, Maryland. Its specialty was in discovering zero-day vulnerabilities in software from major vendors in order to sell them to law enforcement and intelligence agencies which use them to achieve both defensive and offensive cyber-operations. Vupen ceased trading in 2015, and the founders created a new company Zerodium.

A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. It was one of the first companies, along with Synack and Bugcrowd, to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; it is the largest cybersecurity firm of its kind. As of May 2020, HackerOne's network had paid $100 million in bounties.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

Tavis Ormandy is an English computer security white hat hacker. He is currently employed by Google as part of their Project Zero team.

The market for zero-day exploits refers to the commercial activity that happens around the trafficking of software exploits.

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

Benjamin Kunz Mejri

Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His areas of research include vulnerabilities in computer systems, bug bounties, the security of e-payment payment services and privacy protection. Mejri is known for uncovering new zero-day vulnerabilities and making them transparent to the public.

Alisa Esage, also known as Alisa Shevchenko, is a Russian hacker, recognized for working with companies to find vulnerabilities in their systems. A self-described “offensive security researcher,” a 2014 profile in Forbes says of Shevchenko: "she was more drawn to hacking than programming." After dropping out of school she worked as a malware analysis expert for Kaspersky Labs for five years. In 2009, she founded the company Esage Labs, later known as ZOR Security

Ben Hawkes is a computer security expert and white hat hacker from New Zealand, currently employed by Google as manager of their Project Zero.

Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".

Sam Curry is an American bug bounty hunter, and student. He is best known for his contributions to web application security through participation in bug bounty programs, most notably finding a security vulnerability in Tesla after cracking his windshield. Curry began working as a security consultant through his company 17security in 2018, and is currently a student at the University of Nebraska Omaha.

References

  1. "A Lively Market, Legal and Not, for Software Bugs". The New York Times. January 30, 2007. Archived from the original on November 9, 2020. Retrieved October 21, 2020.
  2. "Trend Micro To Acquire HP TippingPoint For $300M". CRN. October 21, 2015. Retrieved June 21, 2021.
  3. 1 2 "Groups argue over merits of flaw bounties". Security Focus. April 5, 2006. Archived from the original on February 2, 2021. Retrieved October 21, 2020.
  4. "Zero Day Initiative Finds First Firefox 3 Vulnerability". Wired. June 19, 2008. Archived from the original on October 29, 2020. Retrieved October 21, 2020.
  5. "Stuxnet Redux: Microsoft patches Windows vuln left open for FIVE YEARS". The Register. March 10, 2015. Archived from the original on October 28, 2020. Retrieved October 21, 2020.
  6. "Why did QuickTime for Windows move to end of life so abruptly?". TechTarget. Archived from the original on December 2, 2020. Retrieved October 21, 2020.
  7. "Stop the Flash madness - 5 bugs a week". Computer Weekly. August 16, 2015. Archived from the original on November 8, 2020. Retrieved October 21, 2020.
  8. "Security Updates Available for Adobe Acrobat and Reader". Adobe. December 11, 2015. Archived from the original on May 25, 2020. Retrieved October 21, 2020.
  9. "Tackling Privilege Escalation with Offense and Defense". Black Hat. Archived from the original on November 19, 2020. Retrieved October 21, 2020.
  10. "Microsoft awards HP researchers $125,000 bug bounty". ZD Net. February 5, 2015. Archived from the original on September 29, 2020. Retrieved October 21, 2020.
  11. "Exploit code released for unpatched Internet Explorer flaw". ZD Net. June 22, 2015. Archived from the original on November 8, 2020. Retrieved October 21, 2020.
  12. "Abusing Silent Mitigations - Understanding Weaknesses Within Internet Explorer". Black Hat. December 29, 2015. Retrieved October 21, 2020.
  13. "T302 VMware Escapology How to Houdini The Hypervisor AbdulAziz Hariri Joshua Smith". Adrian Crenshaw. September 22, 2017. Archived from the original on February 16, 2021. Retrieved October 21, 2020.
  14. "Black Hat USA 2013 - Java Every-Days: Exploiting Software Running on 3 Billion Devices". Black Hat. December 3, 2013. Archived from the original on February 16, 2021. Retrieved October 21, 2020.
  15. "Researchers Analyze Oracle WebLogic Flaw Under Attack". Dark Reading. May 11, 2020. Archived from the original on October 31, 2020. Retrieved October 21, 2020.
  16. 1 2 "Inside one of the world's largest bug bounty programmes". Computer Weekly. July 9, 2018. Archived from the original on September 20, 2020. Retrieved October 21, 2020.
  17. "Pwn2Own contest will pay $900,000 for hacks that exploit this Tesla". Ars Technica. January 14, 2019. Archived from the original on November 7, 2020. Retrieved October 21, 2020.
  18. "Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits". Forbes. March 23, 2012. Archived from the original on March 14, 2014. Retrieved October 21, 2020.
  19. 1 2 "Zero-day sales not 'fair' - to researchers". The Register. June 3, 2007. Archived from the original on February 16, 2021. Retrieved October 21, 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.