Trend Micro ZDI Offering $1.2M in Targeted Incentive Program Awards

Trend Micro is adding new targets to the ZDI Targeted Incentive Program, providing security researchers with financial awards for successfully demonstrating full exploit chains.


Trend Micro is refocusing its Zero Day Initiative (ZDI) Targeted Incentive Program (TIP) with new targets for researchers to discover and disclose zero-day flaws.

The TIP program is now adding OpenSSH and the ISC BIND DNS server to the effort, awarding researchers $200,000 for successfully reporting vulnerabilities that enable remote code execution. The TIP program already includes $200,000 awards for flaws in the NGINX and Apache HTTP web servers running on Ubuntu Linux, as well as Microsoft IIS and SMB. In total, the TIP effort now has an award pool of $1.2 million available for researchers to claim.

"For TIP, we are looking for bugs in the NGINX, Apache, OpenSSH and ISC BIND code bases, but we will also acquire bugs in Ubuntu, Linux, Red Hat and other open-source products that impact our customers through the normal Zero Day Initiative program," Brian Gorenc, director of vulnerability research with Trend Micro’s ZDI program, told eWEEK.

ZDI is in the business of acquiring vulnerabilities from security researchers and then responsibly disclosing the flaws privately to impacted vendors. The TIP effort was first announced in July as an incentivized effort to help solicit more server-side vulnerabilities from researchers. To date, ZDI has not awarded any money as part of TIP, as there have been no completely successful vulnerability submissions from researchers.

"We did purchase some bugs that were submitted to the program, but they weren't full exploit chains, so they didn’t qualify as winning," Gorenc said. 

Gorenc explained that, in a sense, the TIP initiative is similar to ZDI's Pwn2Own contest. Pwn2Own is an event where researchers need to demonstrate a full exploit from start to finish at a live event. At the Pwn2Own event in March, ZDI awarded researchers a total of $267,000 for disclosing new vulnerabilities in operating system and browser software.

Much like Pwn2Own, ZDI often doesn't get bugs when a new category is first announced, he said. 

"The bar to win a category is pretty high, so it’s not too surprising we haven’t received a winning submission yet," Gorenc said.


The TIP program initially also included the open-source Joomla, Drupal and WordPress content management systems (CMS) that are now being removed from the effort.

"Part of the program is designed to be time-bound," Gorenc said. "When the time period for those programs ended, we removed them from the program."

ISC BIND is new to TIP and is a widely deployed DNS (Domain Name System) server. DNS provides a critical function in the operation of the internet, matching IP addresses to domain names to enable web browsing. OpenSSH is also new to the program and is an open-source implementation of the SSH (Secure SHell) protocol that enables remote administration of servers.

Pwn2Own Tokyo

The new TIP categories come a week ahead of ZDI's mobile Pwn2Own event in Tokyo, which runs Nov. 13-14. At the 2017 Mobile Pwn2Own, 32 different zero-day vulnerabilities were disclosed, with ZDI awarding researchers $515,000 in awards.

The 2018 Mobile Pwn2Own event will introduce new mobile targets for researchers to go after.

"We’ve added a category for internet of things that includes cameras, smart speakers and the Apple watch," Gorenc said. "Last year, we saw a baseband exploit. It wouldn’t shock us to see additional research in that area."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.