The TippingPoint IPS launched as the first intrusion prevention system in 2002. We provide a "virtual patch" functionality that protects vulnerable systems from compromise when host-by-host patches have not been applied or do not yet exist from the vendor. Our security research team develops new Digital Vaccine® protection filters that address the latest vulnerabilities and are constantly distributed to our customers. By writing vulnerability filters for security issues that come in through the Zero Day Initiative, the Trend Micro TippingPoint IPS maintains a competitive edge while protecting customers and encouraging security researchers to bring findings into the public domain.
Our goal for the Zero Day Initiative is to provide our customers with the world's best intrusion prevention systems and secure converged networking infrastructure. In order to accomplish this, we need access to the best and most timely security intelligence available.
Trend Micro has invested considerable resources to ensure the Zero Day Initiative is successful. We believe our rewards program is the most lucrative available. Besides the obvious benefit of more compensation and higher incentives, the ZDI's approach to the acquisition of vulnerability information is different than any program to date. No technical details concerning the vulnerability are sent out publicly until the vendor has released a patch. Any protection filters written for submitted vulnerabilities that Trend Micro distributes to its customers are obscured by being described only in very general terms and are encrypted to prevent reverse engineering.
No. Individuals from most countries globally can participate in the ZDI. If there are issues with your participation due to the country in which you live, you will be advised of this during the application process and the ZDI team will make all accommodations legally permissible to allow your participation.
Please visit the ZDI Secure Portal.
Once you sign on as a new researcher in the ZDI program, you are given login credentials to the portal. On the ZDI site, you can track your current Rewards points, review the status of all pending cases, and view where your vulnerabilities are in the vendor disclosure lifecycle.
Researchers can submit their vulnerabilities in any form they choose (e.g., sample exploit code, a detailed description of the vulnerability, etc.). A ZDI security researcher will follow up directly with the researcher if more details are needed. You can refer to this blog post to see how to maximize your submission.
There is no limit on the number of vulnerability reports.
On occasion, we may receive information from multiple researchers regarding the same vulnerability in the same vendor product. If this occurs, the first researcher who provides information that can be verified by our ZDI team will be compensated, if they accept our offer. Subsequent researchers submitting the same vulnerability will not.
On average, we respond within two weeks. Verification times vary from a few days to a few weeks depending on a number of factors such as the current queue of vulnerability submissions, the complexity of verification and the difficultly of obtaining and configuring the target environment.
Our methods of payment include bank wire transfer or mailed check. Researchers can decide which method suits them best when they sign on to the ZDI portal and set their preferences.
Depending on the payment method you select, it may take anywhere from two to three weeks.
Yes. If you are a U.S. citizen (including a resident alien) for IRS tax purposes, you must provide us a completed and signed W-9 form prior to receiving any payments from us. Click here for a blank W-9 form.
A multiplier is an added incentive to frequent researchers. For example, if you have ZDI Platinum status and receive a vulnerability valuation of $5,000, then you would receive a payment of $6,000 (25% multiplier) and 10,000 reward points (100% multiplier).
No. For financial accountability and tax reporting purposes, we need to know who we're sending payments to. For ethical oversight, we need to ensure we're not dealing with known black hats or illegal groups.
We will keep your identity hidden from the public and/or vendor according to your wishes.
No. The reason we're making such an investment in vulnerabilities is to maintain exclusivity and also to protect all end users, including non-Trend Micro customers, until a patch is available from the vendor.
The success of the ZDI depends on mutual trust between Trend Micro and ZDI researchers. Researchers trust Trend Micro not to do anything with the vulnerability report until a mutual agreement is in place. We trust you to grant us exclusive access to this information. If researchers violate exclusivity, they will be prohibited from participating in the ZDI.
Absolutely. We will let you know where things stand with all of your own current cases with regards to vendor disclosure. This information is tracked in your section of the ZDI portal.
The ZDI does not encourage or promote the violation of licenses or other restrictions applicable to any vendor's product. However, we are encouraging security researchers and other individuals who become aware of vulnerabilities to participate in our program for their own financial benefit and for the benefit of the vendor, security and end user communities at large.
In order to maintain the secrecy of a researcher's vulnerability discovery until a product vendor can develop a patch, Trend Micro customers are only provided a generic description of the filter provided but are not informed of the vulnerability. Once details are made public in coordination with the product vendor, Trend Micro's Digital Vaccine® service provides an updated description so that customers can identify the appropriate filters that were protecting them. In other words, Trend Micro will be protected from the vulnerability in advance, but they will not be able to tell from the description what the vulnerability is.
Trend Micro follows its Vulnerability Disclosure Policy when reporting security vulnerabilities to product vendors. Obviously, responsible disclosure only works well when an affected product vendor makes a concerted effort to evaluate and address the reported flaw. Trend Micro will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Trend Micro will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. In no case will an acquired vulnerability be "kept quiet" because a product vendor does not wish to address it.