So far, 2018 has been a very busy year for Trend Micro’s Zero Day Initiative, which is in the business of acquiring software vulnerabilities from security researchers.
Through the first six months of the year, ZDI has already published 600 security advisories. In contrast, in the first half of 2017, ZDI published 451 advisories. However, while ZDI has published 33 percent more advisories in the first half of 2018 than 2017, there was actually a 42 percent decline in the number of zero-day advisories released by ZDI.
In total, ZDI has paid out approximately $1 million in awards to security researchers in 2018.
“This is ahead of where we were at this point last year, and that’s primarily through volume,” Brian Gorenc, director of ZDI, told eWEEK.
ZDI was originally part of TippingPoint, which Hewlett Packard acquired in 2010. HP in turn sold TippingPoint to Trend Micro in October 2015. ZDI’s biggest event during any given year is the group’s Pwn2Own live hacking competition. At the 2018 event in March, ZDI awarded a total of $267,000 to security researchers for demonstrating new vulnerabilities. Pwn2Own isn’t the only time ZDI acquires vulnerabilities from researchers, however. It does so year-round.
“We still see plenty of buffer overflows, command injection bugs, and out-of-bounds read/write problems submitted to the program, but vulnerabilities in JIT [just in time compilation] are increasingly popular,” Gorenc said.
In terms of vendors, 22 percent of ZDI’s disclosures in the first half of 2018 were for Advantech, which develops industrial and embedded systems. Sixteen percent of disclosures were for Adobe products, which had been the top vendor for disclosures in the first half of 2017 at 20 percent. The amount paid per disclosure varies, and Gorenc said there really isn’t an average payout.
“Bugs reports that come into the program can vary widely in value based of many different factors,” he said. “Because of this, we don’t like to average things out as it doesn’t really reflect the true value of bug submissions to the program.”
Once ZDI acquires a vulnerability from a researcher, it makes a private disclosure to the impacted vendor. The vendor then has 120 days to fix the issue, after which point, ZDI publicly discloses the vulnerability. If after 120 days, a vendor still has not patched an issue and ZDI issues a public advisory, that’s classified as a zero-day disclosure. Only 23 advisories in the first six months of 2018 exceeded ZDI’s disclosure policies, a decrease of 42 percent from the 49 reported in the same period of 2017.
“Generally speaking, vendors are improving their response processes,” Gorenc said. “We certainly hope this continues, but the second half of this year could look quite different, [as] we do still have 580 cases in our upcoming queue.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.