Home Security Trend Micro paid more than US$2m in bug bounties in 2016

Trend Micro paid more than US$2m in bug bounties in 2016

Trend Micro's bug bounty programme, the Zero-Day Initiative, paid out more than US$2 million in bounties in 2016 to researchers who submitted details of various flaws to it, the company says.

A company spokesperson told iTWire that ZDI was created to protect the IT ecosystem by compensating independent researchers for submitting their findings. Submissions are used to create filters for the TippingPoint intrusion prevention system (IPS) and privately disclosed to vendors so fixes can be prepared.

The unit was set up at HPE but nothing has changed since it came over to Trend Micro.

"In fact, ZDI has grown and made 2016 our busiest year ever with 674 advisories published and more than US$2 million awarded to researchers," the spokesperson said.

ZDI itself has a handful of analysts reviewing and verifying the submissions, plus a co-ordinator to handle conversations between researchers and vendors.

"Externally, more than 3000 independent researchers from around the world have submitted bugs to ZDI," the spokesperson said.


Trend Micro researchers at this year's Pwn0wn contest.

What kind of processes are undertaken to decide on what people should work?

Researchers choose what they submit to the programme, although we do encourage them to look at widely deployed applications. These are the things attackers are most likely to target, so fixing bugs in these popular programs has a greater impact.

How do outside people get involved?

Interested researchers can submit bugs through the ZDI Secure Portal, which is available here.

What is the timeframe for so-called responsible disclosure?

ZDI provides a 120-day window for vendors to release a patch to address a vulnerability found in their software.

So the ZDI appears to be similar to a bug bounty programme. Would one be right in characterising it that way?

The ZDI is a bug bounty program for rewarding security researchers for responsibly disclosing vulnerabilities. It is the largest vendor-agnostic bug bounty programme.

There are companies like Immunity that find out about vulnerabilities and then tell their clients about it, but do not inform the vendors. Is there ever a chance that Trend Micro would do something like this?

Our programme is designed to work with vendors to correct the vulnerabilities reported to us. It goes against our customer’s best interest to withhold information from vendors.

In terms of ROI, how does the ZDI work out? If you forked out US$2 million plus in 2016, you would need to have made double that to make the venture worthwhile, isn't it?

Due to the shifting marketplace for software bugs, there isn’t a set dollar figure that works for year-over-year comparisons. By providing TippingPoint customers with filters ahead of the vendor-released patch, we provide our customers unique protections from 0-day attacks. The intelligence gained from having these vulnerabilities reported to us is its own ROI.

How does ZDI make contact with the underground - where, it is well-known, some of the more problematic vulnerabilities are discovered? Do you have outside sources on tap whose names are not known to you, yet you work with them because they deliver?

For financial accountability and tax reporting purposes, we need to know who we're sending payments to. For ethical oversight, we need to ensure we're not dealing with known illegal groups. The ZDI does not encourage or promote the violation of licenses or other restrictions applicable to any product.

Photos: courtesy Trend Micro.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Ransomware is a type of malware that blocks access to your files and systems until you pay a ransom.

The first example of ransomware happened on September 5, 2013, when Cryptolocker was unleashed.

It quickly affected many systems with hackers requiring users to pay money for the decryption keys.

Find out how one company used backup and cloud storage software to protect their company’s PCs and recovered all of their systems after a ransomware strike.


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.


Popular News