Home Security Trend Micro paid more than US$2m in bug bounties in 2016

Trend Micro's bug bounty programme, the Zero-Day Initiative, paid out more than US$2 million in bounties in 2016 to researchers who submitted details of various flaws to it, the company says.

A company spokesperson told iTWire that ZDI was created to protect the IT ecosystem by compensating independent researchers for submitting their findings. Submissions are used to create filters for the TippingPoint intrusion prevention system (IPS) and privately disclosed to vendors so fixes can be prepared.

The unit was set up at HPE but nothing has changed since it came over to Trend Micro.

"In fact, ZDI has grown and made 2016 our busiest year ever with 674 advisories published and more than US$2 million awarded to researchers," the spokesperson said.

ZDI itself has a handful of analysts reviewing and verifying the submissions, plus a co-ordinator to handle conversations between researchers and vendors.

"Externally, more than 3000 independent researchers from around the world have submitted bugs to ZDI," the spokesperson said.

zdi

Trend Micro researchers at this year's Pwn0wn contest.

What kind of processes are undertaken to decide on what people should work?

Researchers choose what they submit to the programme, although we do encourage them to look at widely deployed applications. These are the things attackers are most likely to target, so fixing bugs in these popular programs has a greater impact.

How do outside people get involved?

Interested researchers can submit bugs through the ZDI Secure Portal, which is available here.

What is the timeframe for so-called responsible disclosure?

ZDI provides a 120-day window for vendors to release a patch to address a vulnerability found in their software.

So the ZDI appears to be similar to a bug bounty programme. Would one be right in characterising it that way?

The ZDI is a bug bounty program for rewarding security researchers for responsibly disclosing vulnerabilities. It is the largest vendor-agnostic bug bounty programme.

There are companies like Immunity that find out about vulnerabilities and then tell their clients about it, but do not inform the vendors. Is there ever a chance that Trend Micro would do something like this?

Our programme is designed to work with vendors to correct the vulnerabilities reported to us. It goes against our customer’s best interest to withhold information from vendors.

In terms of ROI, how does the ZDI work out? If you forked out US$2 million plus in 2016, you would need to have made double that to make the venture worthwhile, isn't it?

Due to the shifting marketplace for software bugs, there isn’t a set dollar figure that works for year-over-year comparisons. By providing TippingPoint customers with filters ahead of the vendor-released patch, we provide our customers unique protections from 0-day attacks. The intelligence gained from having these vulnerabilities reported to us is its own ROI.

How does ZDI make contact with the underground - where, it is well-known, some of the more problematic vulnerabilities are discovered? Do you have outside sources on tap whose names are not known to you, yet you work with them because they deliver?

For financial accountability and tax reporting purposes, we need to know who we're sending payments to. For ethical oversight, we need to ensure we're not dealing with known illegal groups. The ZDI does not encourage or promote the violation of licenses or other restrictions applicable to any product.

Photos: courtesy Trend Micro.

47 REASONS TO ATTEND YOW! 2018

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December

REGISTER NOW!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Sponsored News

 

 

 

 

Connect