FAQs
Frequently asked questions
Whether you report, patch, defend, or cover cybersecurity, TrendAI™ Zero Day Initiative™ (ZDI) has the answers that matter to your role.
I'm a researcher
TrendAI™ has invested considerable resources to ensure that TrendAI™ ZDI is successful. We believe that our rewards program is the most lucrative available. Besides the obvious benefit of more compensation and higher incentives, TrendAI™ ZDI's approach to the acquisition of vulnerability information is different from any other program's to date. No technical details concerning the vulnerability are sent out publicly until the vendor has released a patch. Any protection filters written for submitted vulnerabilities that TrendAI™ distributes to its customers are obscured by being described only in very general terms and are encrypted to prevent reverse engineering.
TrendAI™ ZDI accepts previously unpatched vulnerabilities in a wide range of products, including, but not limited to, operating systems, browsers, enterprise and consumer software, industrial control systems, and products listed in Pwn2Own tracks.
There is no limit on the number of vulnerabilities you can report.
You can submit your vulnerability discovery in any form you choose (e.g., sample exploit code, a detailed description of the vulnerability). A TrendAI™ ZDI team member will follow up directly with you if more details are needed.
Log in to TrendAI™ ZDI's researcher portal to track your current rewards points, review the status of all pending cases, and view where your vulnerabilities are in the vendor disclosure lifecycle.
Submission bonuses increase your payout amount. Point multipliers accelerate how quickly you advance through tiers. For example, a Platinum researcher receiving a US$4,000 valuation would receive US$5,000 (25% bonus) and 6,000 reward points (50% multiplier).
Advancing through the tiers reflects the consistency and quality of your research. Higher tiers unlock greater bonuses and make each submission more valuable over time.
Bronze
(15,000 points)
- US$2,000 one-time bonus
- 10% bonus on future submissions
- 10% reward point multiplier
Silver
(25,000 points)
- US$5,000 one-time bonus
- 15% bonus on future submissions
- 15% reward point multiplier
Gold
(45,000 points)
- US$10,000 one-time bonus
- 20% bonus on future submissions
- 25% reward point multiplier
Platinum
(65,000 points)
- US$25,000 one-time bonus
- 25% bonus on future submissions
- 50% reward point multiplier
On occasion, we might receive information from multiple researchers regarding the same vulnerability in the same vendor product. If this occurs, the first researcher who provides information that can be verified by the TrendAI™ ZDI team will be compensated, if they accept our offer. Subsequent researchers submitting the same vulnerability will not.
On average, we respond within two weeks. Verification times vary from a few days to a few weeks depending on a number of factors, such as the current queue of vulnerability submissions, the complexity of verification, and the difficulty of obtaining and configuring the target environment.
Our methods of payment include bank wire transfer or mailed check. You can decide which method suits you best when you sign on to the TrendAI™ ZDI researcher portal and set your preferences.
Depending on the payment method you select, it might take anywhere from two to three weeks.
Yes. If you are a US citizen (including a resident alien) and have to file documents for IRS tax purposes, you must provide us a completed and signed W-9 form prior to receiving any payments from us. Click here for a blank W-9 form.
No. Individuals from most countries globally can participate. If there are issues with your participation due to the country in which you live, you will be advised of this during the application process and the TrendAI™ ZDI team will make all accommodations legally permissible to allow your participation.
No. For financial accountability and tax reporting purposes, we need to know who we're sending payments to. For ethical oversight, we need to ensure we're not dealing with known malicious actors or illegal groups.
We will keep your identity hidden from the public and/or vendor according to your wishes.
No. The reason we're making such an investment in vulnerabilities is to maintain exclusivity and also to protect all end users, including non-TrendAI™ customers, until a patch is available from the vendor.
The success of TrendAI™ ZDI depends on mutual trust between TrendAI™ and TrendAI™ ZDI researchers. Researchers trust TrendAI™ not to do anything with the vulnerability report until a mutual agreement is in place. We trust you to grant us exclusive access to this information. If researchers violate exclusivity, they will be prohibited from participating in TrendAI™ ZDI.
Absolutely. We will let you know where things stand with all of your own current cases with regards to vendor disclosure. This information is tracked in your section of the TrendAI™ ZDI portal.
I'm a vendor
TrendAI™ ZDI does not encourage or promote the violation of licenses or other restrictions applicable to any vendor's product. However, we are encouraging security researchers and other individuals who become aware of vulnerabilities to participate in our program for their own financial benefit and for the benefit of the vendor, security, and end-user communities at large.
In order to maintain the secrecy of a researcher's discovery until a product vendor can develop a patch, TrendAI™ customers are provided only a generic description of the filters but are not informed of the vulnerability. Once details are made public in coordination with the product vendor, TrendAI™ provides an updated description so that customers can identify the appropriate filters that were protecting them. In other words, TrendAI™ customers will be protected from the vulnerability in advance, but they will not be able to tell from the description what the vulnerability is.
TrendAI™ ZDI follows its vulnerability disclosure policy when reporting security vulnerabilities to product vendors. Responsible disclosure works well only when an affected product vendor makes a concerted effort to evaluate and address the reported flaw. TrendAI™ ZDI will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, TrendAI™ ZDI will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. In no case will an acquired vulnerability be "kept quiet" because a product vendor does not wish to address it.
The vendor receives a private notification with all necessary details to begin their internal review. If the vendor does not respond within five business days, TrendAI™ ZDI follows up with another attempt. A lack of response after 10 business days prompts us to reach the vendor through alternative channels, including industry partners, or the national or local CERT. When the vendor replies, the case enters the standard coordination window, during which TrendAI™ ZDI and the vendor work together until a patch is ready. If the vendor remains unreachable, TrendAI™ ZDI may issue a public advisory 15 business days after the initial contact, following our disclosure policy.
TrendAI™ ZDI sends the vendor a complete package of technical information, which includes reproducible steps, vulnerability details, severity context, and any additional data required to understand impact. TrendAI™ ZDI's researchers are available to clarify exploit behavior or address patch-related questions. This ensures that the vendor has all the information needed to reproduce, diagnose, and fix the issue accurately.
Under the standard policy, vendors have 120 days from initial notification to produce a patch or corrective update. This timeline may be shorter for vulnerabilities caused by incomplete or faulty patches, where TrendAI™ ZDI applies a tiered structure of 30, 60, or 90 days depending on severity and available mitigations. Extensions are granted only at TrendAI™ ZDI's discretion.
If a vendor is unwilling or unable to provide a patch within the allotted timeline, TrendAI™ ZDI proceeds with responsible disclosure. In this case, TrendAI™ ZDI may publish an advisory with limited technical detail while offering to collaborate with the vendor on documenting available workarounds. TrendAI™ ZDI does not withhold vulnerabilities indefinitely. Our policy ensures that flaws cannot be ignored or buried.
Yes. Vendors frequently request clarification or ask follow-up questions about exploitability, affected components, or potential patch regressions. TrendAI™ ZDI supports these requests to ensure that the vendor fully understands the flaw and can develop a complete fix.
Once a patch is ready, the vendor may release its official update and the vulnerability becomes eligible for coordinated public disclosure. At that point, TrendAI™ ZDI publishes its advisory, and the vendor may publish its own bulletin. These advisories typically acknowledge one another and credit the submitting researcher.
No. TrendAI™ ZDI is a vendor-agnostic program. It accepts vulnerabilities affecting operating systems, browsers, enterprise software, cloud platforms, industrial control systems and OT equipment, consumer applications, and devices, to name a few. Vendors across all categories participate in TrendAI™ ZDI's disclosure process.
TrendAI™ ZDI will never resell vulnerabilities or use them offensively. TrendAI™ ZDI follows a clear disclosure policy. However, TrendAI™ ZDI will not suppress a vulnerability indefinitely. If a vendor chooses not to patch the flaw, we will still move forward with responsible disclosure, with minimized and sanitized detail and documented workarounds, to protect the broader public.
All coordination begins privately. TrendAI™ ZDI researchers communicate directly with the vendor using nonpublic channels and does not disclose technical details until the vendor issues a patch. Even the protection filters deployed to TrendAI™ customers are encrypted and cannot reveal underlying vulnerability information. Only after coordination is complete, or if contact is impossible despite multiple attempts, will TrendAI™ ZDI issue a public advisory.
I'm a TrendAI™ customer
TrendAI™ ZDI's disclosures cover widely used platforms, so the downstream impact spans governments, healthcare services, financial institutions, industrial and utilities, communications, and cloud providers. Because these platforms sit under citizen portals, electronic medical records, banking systems, ICS/OT, and SaaS workloads, TrendAI™ ZDI's findings are routinely tied to vulnerabilities that, if left unpatched, could affect public services, hospitals, banks, critical infrastructure, and large enterprises globally.
TrendAI™ ZDI is vendor-agnostic. We responsibly disclose vulnerabilities in a broad range of software, including desktop and server operating systems, browsers, office suites, virtualization platforms, hypervisors, cloud and container technologies, ICS/OT components, and consumer/enterprise applications. The Pwn2Own tracks alone have included web browsers, enterprise software, virtualization platforms, automotive systems, and ICS/OT gear as regular targets.
TrendAI Vision One™, TrendAI™'s AI-powered enterprise cybersecurity platform, draws on global intelligence sources to predict and prevent attacks, including TrendAI™ ZDI. We provide verified vulnerability data, including affected products, versions, exploitability, root causes, and timelines. TrendAI Vision One™ uses this intelligence to improve exploit prediction, exposure scoring, and automated prioritization.
Yes. TrendAI™ customers are covered by virtual patching and security filters that are delivered in advance of public disclosure. Even if a vendor never ships a robust fix (or ships a faulty one), the issue will not be ignored. TrendAI™ will continue to provide mitigations via filters and rules, giving customers a defensive layer even in the absence of a good vendor patch.
Once TrendAI™ ZDI researchers validates a vulnerability finding, TrendAI™'s product teams turn that intelligence into protection rules and filters (e.g., network IPS, endpoint, email, cloud workload), so that customers are shielded from exploitation attempts while vendors work on patches.
Every advisory has an identifier, affected vendor/product, and technical description. TrendAI™ correlates those IDs with internal rule IDs and filters in products such as TrendAI Vision One™ (TrendAI™'s AI-powered enterprise cybersecurity platform), network virtual patching, and endpoint protection.
For example, TrendAI Vision One™'s Zero Trust Risk Insights correlates customer vulnerability data with global vulnerability intelligence to identify critical vulnerabilities, which then show up in dashboards and risk views that map to actual protection controls.
Yes. Each TrendAI™ ZDI advisory is structured with fields, such as affected vendor, product, version, vulnerability type, impact, and CVSS score. These already group issues by technology stack (e.g., hypervisor, browser, ICS). Additionally, TrendAI Vision One™, TrendAI™'s AI-powered enterprise cybersecurity platform, correlates TrendAI™ ZDI intelligence with your own asset inventory and vulnerability data, tagging issues by asset type and environment (e.g., cloud workload, identity system, or endpoint). That correlation uses TrendAI™'s global vulnerability intelligence sources, including TrendAI™ ZDI, to identify critical vulnerabilities relevant to your environment.
TrendAI™ ZDI's advisories give the context to product and technology, while TrendAI™'s platform layers additional metadata so you can search and filter for AI-adjacent components, cloud workloads, or industry-specific systems. These mappings are maintained by TrendAI™'s threat and vulnerability research teams as products and technologies evolve.
TrendAI Vision One™, TrendAI™'s AI-powered enterprise cybersecurity platform, has a feature where customer vulnerability data is uploaded, then correlated with global vulnerability intelligence to identify critical vulnerabilities. For example, if your environment inventory shows a vulnerable version of a product that has a TrendAI™ ZDI advisory, TrendAI Vision One™ can flag it in your risk views, exposure dashboards, or specific vulnerability or asset list.
Once a patch is ready, the vendor may release its official update and the vulnerability becomes eligible for coordinated public disclosure. At that point, TrendAI™ ZDI publishes its advisory, and the vendor may publish its own bulletin. These advisories typically acknowledge one another and credit the submitting researcher.
TrendAI™ ZDI already provides visibility into upcoming advisories through its public upcoming advisories list. It shows vulnerabilities that TrendAI™ ZDI researchers have discovered but have not yet been publicly disclosed.
Each upcoming advisory includes the vendor name and the date the vendor was notified. While these entries don't include technical details, they indicate that a vulnerability exists and is in the coordinated disclosure process.
I'm a media practitioner
Unlike other disclosure or bug bounty programs that often publish raw submissions, TrendAI™ ZDI acts as a curated and moderated channel. Every report is validated, reproduced, and triaged by our researchers before the affected vendor is notified. With focus on impact, our program prioritizes coordinated disclosure, predictable timelines, and early protection for our customers while maintaining transparency for the broader security community and end users.
TrendAI™ ZDI rewards researchers for their discoveries so that they can focus on purposeful, defensive work instead of chasing publicity or unstructured, ad hoc reporting. By acquiring a vulnerability submission, we take responsibility for validating the research, coordinating with the vendor, managing disclosure timelines, and ensuring the bug is fixed and publicly documented. Our approach increases participation of researchers and ensures that their work contributes directly to global security improvements.
If the vendor is unresponsive or the remediation exceeds the allowed window, we release an advisory with the details necessary for defensive measures. The goal is not to pressure for publicity, but to prevent the vulnerability's prolonged exposure in the wild.
We publish advisories based on the vendor's readiness to issue a patch, the vulnerability's risk of exploitation, our responsible disclosure guidelines, and the technical nature of the vulnerability. When full details pose immediate risk or when patch rollout is still underway, we may limit the specifics temporarily.
TrendAI™ ZDI accepts discoveries from independent researchers, academics, private labs, and corporate security teams globally. Our researcher ecosystem spans multiple continents, platforms, industries, and skill levels. However, under US law, we are unable to accept researchers who reside in Cuba, Iran, North Korea, Sudan, or Syria.
TrendAI™ ZDI evaluates findings based on exploitability and real-world impact, clarity and reproducibility of the submission, security relevance, affected vendor or product coverage, and our disclosure policy. Submissions that cannot be reproduced or verified will not be acquired.
A CVSS (Common Vulnerability Scoring System) score reflects severity, not likelihood. When reporting, journalists should contextualize their reporting about a vulnerability by considering whether exploitation has been observed, whether mitigations or virtual patches exist, the breadth of affected deployments, the type of impact, and the complexity of exploitation.
TrendAI™ ZDI advisories aim to provide enough information to report accurately without inflating or minimizing risk. This also mirrors recommendations in responsible disclosure frameworks used by regulatory bodies.
TrendAI™ ZDI does not publish a public catalog of exploitation telemetry. However, advisories may reference exploitation status when information is available through vendors, industry partners, or public incident reports.
Once a demonstration is confirmed, TrendAI™ ZDI documents the exploit chain, notifies the affected vendor, and initiates the standard coordinated disclosure process. Researchers are rewarded based on the contest structure and the vendor develops patches based on the reported details. Patches and advisories follow the same lifecycle as standard TrendAI™ ZDI submissions.
TrendAI™ ZDI already provides visibility into upcoming advisories through its public upcoming advisories list. It shows vulnerabilities that TrendAI™ ZDI researchers have discovered but have not yet been publicly disclosed.
Each upcoming advisory includes the vendor name and the date the vendor was notified. While these entries don't include technical details, they indicate that a vulnerability exists and is in the coordinated disclosure process.
For other inquiries, contact us through the following:
- Email: media_relations@trendmicro.com
- For sensitive email communication: PGP key
- X (formerly Twitter): @thezdi
- Mastodon: @thezdi
I have a general inquiry
TrendAI™ Zero Day Initiative™ (ZDI) is the world's largest vendor-agnostic vulnerability acquisition and disclosure program. Built around a global community of independent researchers, internal analysts, and long-standing vendor partnerships, TrendAI™ ZDI serves as a trusted channel to validate zero-day vulnerabilities, work with affected vendors to issue patches, and ensure early protection for users.
TrendAI™ ZDI began as a program launched in 2005 by TippingPoint to address gaps in vulnerability disclosure and researcher recognition. Over time, it evolved under the stewardship of TrendAI™ into a fully scaled ecosystem aimed at improving global security through coordinated, responsible disclosure.
TrendAI™ ZDI supports more than 19,000 external vulnerability researchers, partnered with our own team of over 450 researchers and analysts across 14 global threat centers.
Pwn2Own is TrendAI™ ZDI's flagship, invitation-based contest where security researchers attempt to exploit previously unknown vulnerabilities in widely used software, devices, vehicles, and industrial systems. Successful attacks earn cash prizes, "Master of Pwn" points, and the device or target they successfully compromised.
The contest runs multiple times a year and focuses on targets such as web browsers, operating systems, virtualization platforms, connected cars, EV chargers, ICS/OT equipment, and AI-enabled devices. All winning vulnerabilities are purchased by TrendAI™ ZDI, reported to vendors under responsible disclosure, and only made public after patches or mitigations are available.
For other inquiries, contact us through the following:
- General inquiries: zdi@trendmicro.com
- Media inquiries: media_relations@trendmicro.com
- For sensitive email communication: PGP key
- X (formerly Twitter): @thezdi
- Mastodon: @thezdi