Inside one of the world’s largest bug bounty programmes

With more than 3,500 researchers worldwide, 3,500 vulnerabilities discovered and publicly disclosed, and more than $15m paid to researchers to date, Trend Micro’s Zero Day Initiative (ZDI) is one of the world’s largest supplier-agnostic bug bounty programmes.

Also known as a vulnerability rewards programme, a bug bounty programme rewards security researchers – or white hat hackers – for discovering software bugs, which are then disclosed to software suppliers to be fixed.

In 2016, the ZDI purchased and disclosed 22% of publicly discovered Microsoft vulnerabilities and 28% of publicly disclosed vulnerabilities found in Adobe software. The Zero Day Initiative is the top external supplier of bugs for both companies, according to Brian Gorenc, director of vulnerability research at Trend Micro.

Additionally, being supplier-agnostic means the ZDI purchases bugs in many products, while some suppliers only purchase bugs in their own products.

“Not only does this give us more reports to convert into filters to protect our network defence customers, it also allows us to see what trends are occurring throughout the industry,” Gorenc told Computer Weekly.

That said, the ZDI is selective about what it buys. While it receives submissions for many classes of vulnerabilities – remote code execution, elevation of privilege and information disclosure, for example – it does not purchase every type of bug, including cross-site scripting (XSS) ones that dominate many bug bounty programmes.

“The bugs we’re purchasing are some of the most impactful to consumers and enterprises, which is why we see researchers looking for them,” Gorenc said.

As with any bug bounty programme, responsible disclosure is key to minimising exposure to vulnerabilities for users.

Gorenc said the initiative’s disclosure process starts with a researcher submitting a previously unknown, unpatched vulnerability to the ZDI, which will validate the vulnerability, determine its worth and offer a reward to the researcher.

As a researcher discovers and provides additional research, bonuses and rewards can increase through a loyalty programme, similar to a frequent flier programme.

Secondly, the ZDI responsibly and promptly notifies the software supplier of the security flaw. The supplier is given 120 days to address the vulnerability.

Simultaneously, Trend Micro researchers create a filter to protect its customers from the unpatched vulnerability for an average of 72 days before an official patch is ready.

The software supplier could issue a patch for the vulnerability, or indicate to the ZDI that it is unable to, or chooses not to, patch the vulnerability.

The ZDI will then publicly disclose the details of the vulnerability on its website in accordance with its vulnerability disclosure policy.

Asked if software companies should be more accountable for defects that lead to vulnerabilities, Gorenc said although they should work to implement secure development practices, vulnerabilities are an inevitable part of all software.

“It’s important for companies to quickly remediate issues once they are known, and the ZDI is happy to help facilitate that process for some of the largest and most widely deployed software in the world,” he said.

“It is never Trend Micro’s approach to name and shame suppliers for any type of security incident – whether a product vulnerability, a breach, or otherwise. Instead, we focus on making the world safe for exchanging digital information for everyone.

“The ZDI creates a collaborative environment in which vulnerability research can positively benefit the software landscape and help improve products, with the end goal of preventing successful breaches and cyber attacks.”