Zero Day Initiative

Last updated
Zero Day Initiative
Company typeSoftware vulnerability program
Industry Cyber security
FoundedJuly 25, 2005;19 years ago (2005-07-25)
Owner Trend Micro
Website www.zerodayinitiative.com OOjs UI icon edit-ltr-progressive.svg

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. [1] The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015. [2]

Contents

ZDI buys various software vulnerabilities from independent security researchers, and then discloses these vulnerabilities to their original vendors for patching before making such information public.

History

ZDI was started on July 25, 2005 by TippingPoint and was initially led by David Endler and Pedram Amini. [3] The "zero-day" in ZDI's name refers to the first time, or Day Zero, when a vendor becomes aware of a vulnerability in a specific software. The program was launched to give cash rewards to software vulnerability researchers and hackers if they proved to find exploits in any variety of software. Due to lack of incentive and safety and confidentiality concerns, researchers and hackers are often deterred from approaching vendors when finding vulnerabilities in their software. ZDI was created as a third-party program to collect and incentivize finding such vulnerabilities, while protecting both the researchers and the sensitive information behind the vulnerabilities. [3]

ZDI contributors have found security vulnerabilities in products such as Firefox 3, [4] Microsoft Windows, [5] QuickTime for Windows, [6] and in a variety of Adobe products. [7] [8]

ZDI also conducts internal research for vulnerabilities and has found many in Adobe products, [9] Microsoft products, [10] [11] [12] VMware products, [13] and Oracle Java. [14] [15]

In 2016, ZDI was the top external supplier of bugs for both Microsoft and Adobe, having "purchased and disclosed 22% of publicly discovered Microsoft vulnerabilities and 28% of publicly disclosed vulnerabilities found in Adobe software." [16]

ZDI also adjudicates the Pwn2Own hacking competition which occurs three times a year, [17] where teams of hackers can take home cash prizes and software and hardware devices which they have successfully exploited.

Buying exploits

There has been criticism on the sale of software exploits, as well as on the entities who buy such vulnerabilities. Although the practice is legal, the ethics of the practice are always in question. Most critics are concerned about what can happen to software exploits once they are sold. [18] Hackers and researchers who find flaws in software can sell those vulnerabilities to either government agencies, third-party companies, on the black market, or to the software vendors themselves.

The fair market value versus black market value for software exploits greatly differ (often variable by tens of thousands of dollars), [19] as do the implications for purchasing software vulnerabilities. This combination of concerns has led to the rise of third-party programs such as ZDI and others as places to report and sell vulnerabilities for security researchers. [19]

ZDI receives submissions for vulnerabilities such as remote code execution, elevation of privilege, and information disclosure, but "it does not purchase every type of bug, including cross-site scripting (XSS) ones that dominate many bug bounty programs." [16]

Related Research Articles

An exploit is a method or piece of code that takes advantage of vulnerabilities in software, applications, networks, operating systems, or hardware, typically for malicious purposes. The term "exploit" derives from the English verb "to exploit," meaning "to use something to one’s own advantage." Exploits are designed to identify flaws, bypass security measures, gain unauthorized access to systems, take control of systems, install malware, or steal sensitive data. While an exploit by itself may not be a malware, it serves as a vehicle for delivering malicious software by breaching security controls.

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor thus has zero days to prepare a patch, as the vulnerability has already been described or exploited.

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in March 2024. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited and a cash prize. The Pwn2Own contest serves to demonstrate the vulnerability of devices and software in widespread use while also providing a checkpoint on the progress made in security since the previous year.

Vupen Security was a French information security company founded in 2004 and based in Montpellier with a U.S. branch based in Annapolis, Maryland. Its specialty was in discovering zero-day vulnerabilities in software from major vendors in order to sell them to law enforcement and intelligence agencies which used them to achieve both defensive and offensive cyber-operations. Vupen ceased trading in 2015, and the founders created a new company Zerodium.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

HackerOne Inc. is a company specializing in cybersecurity, specifically attack resistance management, which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the digital attack surface. It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure. As of December 2022, HackerOne's network had paid over $230 million in bounties. HackerOne's customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

Tavis Ormandy is an English computer security white hat hacker. He is currently employed by Google and was formerly part of Google's Project Zero team.

Zerodium is an American information security company. The company was founded in 2015 with operations in Washington, D.C., and Europe. The company develops and acquires zero-day exploits from security researchers.

The market for zero-day exploits is commercial activity related to the trafficking of software exploits.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

<span class="mw-page-title-main">Benjamin Kunz Mejri</span> German IT security specialist and penetration tester

Benjamin Kunz Mejri is a German IT security specialist and penetration tester. His areas of research include vulnerabilities in computer systems, bug bounties, the security of e-payment payment services and privacy protection. Mejri is known for uncovering new zero-day vulnerabilities and making them transparent to the public.

Alisa Shevchenko, professionally known as Alisa Esage, is a Russian-born computer security researcher, entrepreneur and hacker with Ukrainian roots. She is known for working independently with dominant software corporations such as Google and Microsoft to find and exploit security weaknesses in their products; being the first female participant in Pwn2Own, the world's premiere professional hacking competition with significant cash prizes; and being accused by the government of the United States of hacking the presidential elections in 2016.

Ben Hawkes is a computer security expert and white hat hacker from New Zealand, previously employed by Google as manager of their Project Zero.

Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".

References

  1. "A Lively Market, Legal and Not, for Software Bugs". The New York Times. January 30, 2007. Archived from the original on November 9, 2020. Retrieved October 21, 2020.
  2. "Trend Micro To Acquire HP TippingPoint For $300M". CRN. October 21, 2015. Retrieved June 21, 2021.
  3. 1 2 "Groups argue over merits of flaw bounties". Security Focus. April 5, 2006. Archived from the original on February 2, 2021. Retrieved October 21, 2020.
  4. "Zero Day Initiative Finds First Firefox 3 Vulnerability". Wired. June 19, 2008. Archived from the original on October 29, 2020. Retrieved October 21, 2020.
  5. "Stuxnet Redux: Microsoft patches Windows vuln left open for FIVE YEARS". The Register. March 10, 2015. Archived from the original on October 28, 2020. Retrieved October 21, 2020.
  6. "Why did QuickTime for Windows move to end of life so abruptly?". TechTarget. Archived from the original on December 2, 2020. Retrieved October 21, 2020.
  7. "Stop the Flash madness - 5 bugs a week". Computer Weekly. August 16, 2015. Archived from the original on November 8, 2020. Retrieved October 21, 2020.
  8. "Security Updates Available for Adobe Acrobat and Reader". Adobe. December 11, 2015. Archived from the original on May 25, 2020. Retrieved October 21, 2020.
  9. "Tackling Privilege Escalation with Offense and Defense". Black Hat. Archived from the original on November 19, 2020. Retrieved October 21, 2020.
  10. "Microsoft awards HP researchers $125,000 bug bounty". ZD Net. February 5, 2015. Archived from the original on September 29, 2020. Retrieved October 21, 2020.
  11. "Exploit code released for unpatched Internet Explorer flaw". ZD Net. June 22, 2015. Archived from the original on November 8, 2020. Retrieved October 21, 2020.
  12. "Abusing Silent Mitigations - Understanding Weaknesses Within Internet Explorer". Black Hat. December 29, 2015. Retrieved October 21, 2020.
  13. "T302 VMware Escapology How to Houdini The Hypervisor AbdulAziz Hariri Joshua Smith". Adrian Crenshaw. September 22, 2017. Archived from the original on February 16, 2021. Retrieved October 21, 2020.
  14. "Black Hat USA 2013 - Java Every-Days: Exploiting Software Running on 3 Billion Devices". Black Hat. December 3, 2013. Archived from the original on February 16, 2021. Retrieved October 21, 2020.
  15. "Researchers Analyze Oracle WebLogic Flaw Under Attack". Dark Reading. May 11, 2020. Archived from the original on October 31, 2020. Retrieved October 21, 2020.
  16. 1 2 "Inside one of the world's largest bug bounty programmes". Computer Weekly. July 9, 2018. Archived from the original on September 20, 2020. Retrieved October 21, 2020.
  17. "Pwn2Own contest will pay $900,000 for hacks that exploit this Tesla". Ars Technica. January 14, 2019. Archived from the original on November 7, 2020. Retrieved October 21, 2020.
  18. "Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits". Forbes. March 23, 2012. Archived from the original on March 14, 2014. Retrieved October 21, 2020.
  19. 1 2 "Zero-day sales not 'fair' - to researchers". The Register. June 3, 2007. Archived from the original on February 16, 2021. Retrieved October 21, 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.