A company spokesperson told iTWire that ZDI was created to protect the IT ecosystem by compensating independent researchers for submitting their findings. Submissions are used to create filters for the TippingPoint intrusion prevention system (IPS) and privately disclosed to vendors so fixes can be prepared.
The unit was set up at HPE but nothing has changed since it came over to Trend Micro.
"In fact, ZDI has grown and made 2016 our busiest year ever with 674 advisories published and more than US$2 million awarded to researchers," the spokesperson said.
"Externally, more than 3000 independent researchers from around the world have submitted bugs to ZDI," the spokesperson said.
Trend Micro researchers at this year's Pwn0wn contest.
What kind of processes are undertaken to decide on what people should work?
Researchers choose what they submit to the programme, although we do encourage them to look at widely deployed applications. These are the things attackers are most likely to target, so fixing bugs in these popular programs has a greater impact.
How do outside people get involved?
Interested researchers can submit bugs through the ZDI Secure Portal, which is available here.
What is the timeframe for so-called responsible disclosure?
ZDI provides a 120-day window for vendors to release a patch to address a vulnerability found in their software.
So the ZDI appears to be similar to a bug bounty programme. Would one be right in characterising it that way?
The ZDI is a bug bounty program for rewarding security researchers for responsibly disclosing vulnerabilities. It is the largest vendor-agnostic bug bounty programme.
There are companies like Immunity that find out about vulnerabilities and then tell their clients about it, but do not inform the vendors. Is there ever a chance that Trend Micro would do something like this?
Our programme is designed to work with vendors to correct the vulnerabilities reported to us. It goes against our customer’s best interest to withhold information from vendors.
In terms of ROI, how does the ZDI work out? If you forked out US$2 million plus in 2016, you would need to have made double that to make the venture worthwhile, isn't it?
Due to the shifting marketplace for software bugs, there isn’t a set dollar figure that works for year-over-year comparisons. By providing TippingPoint customers with filters ahead of the vendor-released patch, we provide our customers unique protections from 0-day attacks. The intelligence gained from having these vulnerabilities reported to us is its own ROI.
How does ZDI make contact with the underground - where, it is well-known, some of the more problematic vulnerabilities are discovered? Do you have outside sources on tap whose names are not known to you, yet you work with them because they deliver?
For financial accountability and tax reporting purposes, we need to know who we're sending payments to. For ethical oversight, we need to ensure we're not dealing with known illegal groups. The ZDI does not encourage or promote the violation of licenses or other restrictions applicable to any product.
Photos: courtesy Trend Micro.