Jump to content

Zero Day Initiative

From Wikipedia, the free encyclopedia
(Redirected from ZDI)
Zero Day Initiative
Company typeSoftware vulnerability program
IndustryCyber security
FoundedJuly 25, 2005; 19 years ago (2005-07-25)
OwnerTrend Micro
Websitewww.zerodayinitiative.com Edit this at Wikidata

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com.[1] The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.[2]

ZDI buys various software vulnerabilities from independent security researchers, and then discloses these vulnerabilities to their original vendors for patching before making such information public.

History

[edit]

ZDI was started on July 25, 2005 by TippingPoint and was initially led by David Endler and Pedram Amini.[3] The "zero-day" in ZDI's name refers to the first time, or Day Zero, when a vendor becomes aware of a vulnerability in a specific software. The program was launched to give cash rewards to software vulnerability researchers and hackers if they proved to find exploits in any variety of software. Due to lack of incentive and safety and confidentiality concerns, researchers and hackers are often deterred from approaching vendors when finding vulnerabilities in their software. ZDI was created as a third-party program to collect and incentivize finding such vulnerabilities, while protecting both the researchers and the sensitive information behind the vulnerabilities.[3]

ZDI contributors have found security vulnerabilities in products such as Firefox 3,[4] Microsoft Windows,[5] QuickTime for Windows,[6] and in a variety of Adobe products.[7][8]

ZDI also conducts internal research for vulnerabilities and has found many in Adobe products,[9] Microsoft products,[10][11][12] VMware products,[13] and Oracle Java.[14][15]

In 2016, ZDI was the top external supplier of bugs for both Microsoft and Adobe, having "purchased and disclosed 22% of publicly discovered Microsoft vulnerabilities and 28% of publicly disclosed vulnerabilities found in Adobe software."[16]

ZDI also adjudicates the Pwn2Own hacking competition which occurs three times a year,[17] where teams of hackers can take home cash prizes and software and hardware devices which they have successfully exploited.

Buying exploits

[edit]

There has been criticism on the sale of software exploits, as well as on the entities who buy such vulnerabilities. Although the practice is legal, the ethics of the practice are always in question. Most critics are concerned about what can happen to software exploits once they are sold.[18] Hackers and researchers who find flaws in software can sell those vulnerabilities to either government agencies, third-party companies, on the black market, or to the software vendors themselves.

The fair market value versus black market value for software exploits greatly differ (often variable by tens of thousands of dollars),[19] as do the implications for purchasing software vulnerabilities. This combination of concerns has led to the rise of third-party programs such as ZDI and others as places to report and sell vulnerabilities for security researchers.[19]

ZDI receives submissions for vulnerabilities such as remote code execution, elevation of privilege, and information disclosure, but "it does not purchase every type of bug, including cross-site scripting (XSS) ones that dominate many bug bounty programs."[16]

References

[edit]
  1. ^ "A Lively Market, Legal and Not, for Software Bugs". The New York Times. January 30, 2007. Archived from the original on November 9, 2020. Retrieved October 21, 2020.
  2. ^ "Trend Micro To Acquire HP TippingPoint For $300M". CRN. October 21, 2015. Retrieved June 21, 2021.
  3. ^ a b "Groups argue over merits of flaw bounties". Security Focus. April 5, 2006. Archived from the original on February 2, 2021. Retrieved October 21, 2020.
  4. ^ "Zero Day Initiative Finds First Firefox 3 Vulnerability". Wired. June 19, 2008. Archived from the original on October 29, 2020. Retrieved October 21, 2020.
  5. ^ "Stuxnet Redux: Microsoft patches Windows vuln left open for FIVE YEARS". The Register. March 10, 2015. Archived from the original on October 28, 2020. Retrieved October 21, 2020.
  6. ^ "Why did QuickTime for Windows move to end of life so abruptly?". TechTarget. Archived from the original on December 2, 2020. Retrieved October 21, 2020.
  7. ^ "Stop the Flash madness - 5 bugs a week". Computer Weekly. August 16, 2015. Archived from the original on November 8, 2020. Retrieved October 21, 2020.
  8. ^ "Security Updates Available for Adobe Acrobat and Reader". Adobe. December 11, 2015. Archived from the original on May 25, 2020. Retrieved October 21, 2020.
  9. ^ "Tackling Privilege Escalation with Offense and Defense". Black Hat. Archived from the original on November 19, 2020. Retrieved October 21, 2020.
  10. ^ "Microsoft awards HP researchers $125,000 bug bounty". ZD Net. February 5, 2015. Archived from the original on September 29, 2020. Retrieved October 21, 2020.
  11. ^ "Exploit code released for unpatched Internet Explorer flaw". ZD Net. June 22, 2015. Archived from the original on November 8, 2020. Retrieved October 21, 2020.
  12. ^ "Abusing Silent Mitigations - Understanding Weaknesses Within Internet Explorer". Black Hat. December 29, 2015. Retrieved October 21, 2020.
  13. ^ "T302 VMware Escapology How to Houdini The Hypervisor AbdulAziz Hariri Joshua Smith". Adrian Crenshaw. September 22, 2017. Archived from the original on February 16, 2021. Retrieved October 21, 2020.
  14. ^ "Black Hat USA 2013 - Java Every-Days: Exploiting Software Running on 3 Billion Devices". Black Hat. December 3, 2013. Archived from the original on February 16, 2021. Retrieved October 21, 2020.
  15. ^ "Researchers Analyze Oracle WebLogic Flaw Under Attack". Dark Reading. May 11, 2020. Archived from the original on October 31, 2020. Retrieved October 21, 2020.
  16. ^ a b "Inside one of the world's largest bug bounty programmes". Computer Weekly. July 9, 2018. Archived from the original on September 20, 2020. Retrieved October 21, 2020.
  17. ^ "Pwn2Own contest will pay $900,000 for hacks that exploit this Tesla". Ars Technica. January 14, 2019. Archived from the original on November 7, 2020. Retrieved October 21, 2020.
  18. ^ "Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits". Forbes. March 23, 2012. Archived from the original on March 14, 2014. Retrieved October 21, 2020.
  19. ^ a b "Zero-day sales not 'fair' - to researchers". The Register. June 3, 2007. Archived from the original on February 16, 2021. Retrieved October 21, 2020.
[edit]