About ZDI


Today, there still remains a perception by some in the information security industry that vulnerability researchers are malicious hackers looking to do harm. While there clearly are skilled malicious hackers out there, this remains a very small minority of the total number of people who actually discover new software flaws. In reality, the number of benevolent researchers with the expertise required to discover a software vulnerability is a sizeable, and fast growing group. The dissemination of publicly available vulnerability analysis and discovery tools has helped foster this group of security enthusiasts. Also, it is not uncommon for "white hat" security professionals to stumble onto a new flaw while doing their day-to-day security work.

TippingPoint has its own security research organizations via DVLabs. It made perfect sense however to augment DVLabs with the additional zero day research of this growing network of "extended researchers". Our approach was the formation of the Zero Day Initiative (ZDI), launched on July 25, 2005. The main goals of the ZDI are to:

Amplify the effectiveness of our team
by creating a virtual community of
skilled researchers.

Encourage the responsible reporting
of zero-day vulnerabilities through
financial incentives.

Protect TippingPoint customers from harm
until the affected vendor is able to deploy a

We do not resell or redistribute the vulnerabilities that are acquired through the ZDI.

Interested researchers provide TippingPoint with exclusive information about previously un-patched vulnerabilities they have discovered. TippingPoint collects background information in order to validate the identity of the researcher for ethical and financial oversight. TippingPoint validates the issue in its security labs and makes a monetary offer to the researcher. If the researcher accepts the offer, he/she will be paid promptly. As a researcher discovers and provides additional vulnerability research, bonuses and rewards can increase through a loyalty program similar to a frequent flier miles program.

After an agreement has been reached for the acquisition of a researcher's vulnerability, TippingPoint simultaneously develops IPS protection filters and notifies the affected vendor so the vendor can develop a vulnerability patch. TippingPoint discloses any and all acquired vulnerabilities to product vendors in accordance with the TippingPoint Vulnerability Disclosure Policy.

The disclosure policy ensures that both researchers and product vendors understand how TippingPoint handles vulnerability information. This policy further reassures researchers that in no case will any of their discoveries be "swept under the rug". It also reassures product vendors that there is a professional and standard set of guidelines they can expect to be utilized throughout the disclosure process.

Once a patch is ready from the affected vendor, TippingPoint works collaboratively with that vendor to notify the public of the vulnerability through a joint advisory that provides full credit to the originating researcher, unless the researcher chooses to remain anonymous. Before public disclosure of the vulnerability, TippingPoint also shares the technical details of the vulnerability with other security vendors so they too may prepare an appropriate security response for their customers. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.

In order to maintain the secrecy of a researcher's vulnerability discovery until a product vendor can develop a patch, TippingPoint customers are only given a generic description of the filter provided, not the vulnerability itself. Once details are made public in coordination with the product vendor, TippingPoint's Digital Vaccine service for the Intrusion Prevention System provides an updated description so customers can identify the appropriate filters that were protecting them. In other words, TippingPoint customers will be protected from the vulnerability in advance, but they will not be able to discern the vulnerability itself.