See how the end-to-end, vendor-agnostic disclosure process behind TrendAI™ Zero Day Initiative™ (ZDI) moves vulnerabilities from private discovery to coordinated patches and public advisories.
TrendAI™ ZDI's vendor-agnostic bug bounty program empowers researchers to submit their discoveries through a streamlined submission process and transparent valuation, with rewards that scale with impact.
Clear valuation: TrendAI™ ZDI applies consistent criteria to determine payout offers. Each submission is evaluated based on product deployment, privilege gained, exploitability under default configuration, and the product's relevance across industry environments. This provides a predictable and repeatable assessment.
Control over your work: Ownership remains with you until an offer is accepted. If a submission is declined or you choose not to proceed, the report stays yours.
Built for repeat contributors: TrendAI™ ZDI follows a streamlined workflow of submission, validation, and offer. Researchers who regularly provide high-quality reports often experience faster reviews and more efficient exchanges with the TrendAI™ ZDI team.
Tier structure that reflects expertise: Accepted submissions earn reward points equal to the payout value. These points accumulate toward Bronze, Silver, Gold, and Platinum tiers, each offering increased bonuses and additional incentives.
Impact-aligned rewards: Researchers who submit high-severity or high-value vulnerabilities advance through tiers more quickly and receive proportionally greater rewards.
Recognition within the ecosystem: Tier progression demonstrates credibility within the global research community and reflects a researcher's contribution to coordinated vulnerability disclosure.
Every accepted submission strengthens global defense and advances your standing as a researcher. TrendAI™ ZDI ensures your work is recognized, compensated, and used to reducing real-world cyber risks.
TrendAI™ ZDI determines payout offers using criteria that capture the real-world risk, exploitability, and operational importance of a vulnerability:
Product deployment: How broadly the affected product is used across consumer, enterprise, or critical infrastructure environments
Privilege gained: The impact of successful exploitation (client or server compromise) and the resulting privilege level
Default exposure: Whether the vulnerability is reachable under default configurations or requires optional settings
Product importance: The role the product plays in operational environments, including core infrastructure such as databases, e-commerce platforms, DNS, routers, and firewalls
User interaction: Any dependency on social engineering or user action, such as clicking a link, loading a page, or connecting to a host
Exploit reliability: How stable and repeatable the exploit is under normal conditions
Attack surface: Whether the flaw is remotely accessible, locally accessible, or requires authentication
If TrendAI™ ZDI does not extend an offer or if an offer is extended but not accepted, the submission remains the researcher's property and will not be used within the program.
A researcher identifies a previously unpatched vulnerability.
The vulnerability is submitted through the secure TrendAI™ ZDI portal and a case ID is assigned.
The TrendAI™ ZDI team verifies the submission, evaluates impact and severity, and sends a payout offer to the researcher.
Once the offer is accepted, the researcher is paid promptly via check or wire transfer.
The affected vendor is notified and coordinated disclosure begins before the vulnerability details are shared with other vendors and the public.
TrendAI™ ZDI's submission process is built to respect the researcher's work at every stage, from discovery to coordinated disclosure. It brings technical rigor together with clear communication so that researchers understand how their findings are valued, how decisions are made, and how their contributions reinforce global security.
The TrendAI™ ZDI researcher rewards program recognizes researchers whose work consistently advances coordinated vulnerability disclosure.
Every accepted submission earns points, bonuses, and multipliers that increase your rewards as your expertise and impact grow.
Point accumulation: For every accepted vulnerability, you earn one reward point for every dollar paid. These points determine your status and unlock additional incentives.
Tier progression: Your points move you through four reward tiers. Each tier offers a one-time bonus, a submission bonus applied to every payout, and a multiplier that increases the number of points you earn from future submissions.
Reward multipliers: Submission bonuses increase your payout amount. Point multipliers accelerate how quickly you advance through tiers. For example, a Platinum researcher receiving a US$4,000 valuation would receive US$5,000 (25% bonus) and 6,000 reward points (50% multiplier).
Advancing through the tiers reflects the consistency and quality of your research. Higher tiers unlock greater bonuses and make each submission more valuable over time.
(15,000 points)
(25,000 points)
(45,000 points)
(65,000 points)
TrendAI™ ZDI's referral program recognizes researchers who bring new talent into the disclosure ecosystem. A new researcher entering the program can list your TrendAI™ ZDI username in the optional referral field during registration. Once their first vulnerability is accepted and acquired by TrendAI™ ZDI, you earn 2,500 reward points. This referral credit is added directly to your existing points and counts toward tier progression, submission bonuses, and point multipliers.
The referral bonus operates entirely within the existing rewards program. Referrals can help you reach the next tier sooner, increase future submission bonuses, and raise the point multiplier applied to your next accepted findings. There is no limit on how many researchers you can refer, and each successful referral awards an additional 2,500 points.
Referral credit is awarded only after the referred researcher's first acquisition. Registration alone does not qualify. Referrals do not affect valuation decisions or submission priority. All referral terms are governed by the TrendAI™ ZDI researcher agreement and may change as the program evolves.
TrendAI™ ZDI gives you a structured, reliable source of vulnerability reports from our global research community. Instead of relying solely on internal testing or waiting for the security issues to show up in the wild, you receive verified, privately disclosed findings early enough to remediate them before exploitation.
Global researcher coverage: The TrendAI™ ZDI community tests your products across diverse environments and default configurations. This helps identify issues your in-house security or QA teams might not encounter, especially in edge cases or high-variation deployments.
Actionable, validated reports: Every submission is reproduced, analyzed, and technically vetted by TrendAI™ ZDI researchers before it reaches your engineering or security teams. This reduces internal triage effort, minimizes false positives, and helps your product security teams focus on real, exploitable conditions instead of noise.
Coordinated disclosure for safer patch delivery: TrendAI™ ZDI provides private notification and time for your teams to develop and test patches. Full technical details are disclosed only after your fix is ready or the agreed disclosure window is reached, reducing exposure while keeping timelines predictable.
Early visibility into unknown or undisclosed flaws: TrendAI™ ZDI's discovery and validation process uncovers issues long before they might be found internally or observed in the wild. This reduces the likelihood of unreported vulnerabilities being silently exploited.
Clearer insights into exploitability: TrendAI™ ZDI's analysis provides impact, reproducibility, and exploitation requirements. Vendors receive the technical depth needed to design and validate patches more quickly and accurately.
Predictable disclosure windows: Because TrendAI™ ZDI follows a consistent disclosure policy, you know when an advisory will be published. This helps you align patch development, testing, and release cycles while reducing the need for rushed patches, emergency advisories, or disruptive updates for your users.
Stronger user confidence and brand reputation: Working with TrendAI™ ZDI helps you demonstrate a responsible approach to software security. Coordinated disclosure, timely patches, and transparent advisories show users and enterprise customers that vulnerabilities are addressed correctly and efficiently, which reinforces their trust in the security of your products.
Partnering with TrendAI™ ZDI gives you access to a large, expert-driven discovery pipeline and actionable vulnerability intelligence, all supported by a predictable, coordinated disclosure framework. This helps your teams reduce risk, improve patch quality, and deliver fixes to your users with greater confidence, clarity, and control.
TrendAI™ ZDI acquires vulnerabilities from researchers worldwide and works with vendors to coordinate fixes. For organizations, this research pipeline means earlier awareness of critical flaws across widely deployed products before public disclosure or active exploitation.
Early visibility into risks: TrendAI™ ZDI's advisories provide detailed information on vulnerabilities once the disclosure window is reached. Because TrendAI™ ZDI works across many vendors and product categories, organizations get consolidated insights into issues affecting their environments.
Mitigations before official patches: When applicable, TrendAI Vision One™, TrendAI™'s AI-powered enterprise cybersecurity platform, shields vulnerable systems until a vendor-supplied patch is available. This adds a meaningful layer of defense that reduces your organization's window of exposure.
Guidance on patch prioritization: TrendAI™ ZDI's advisories include information organizations need to evaluate urgency and potential impact. This helps your teams plan remediation, sequence patches, and allocate resources more effectively, especially during complex or high-volume update cycles.
Breadth of vulnerability discovery: TrendAI™ ZDI's global research community uncovers weaknesses across operating systems, cloud platforms, network devices, and enterprise applications, not just the products a single vendor chooses to test. This helps your organization see risk across real-world environments, including software outside the scope of your primary vendors.
High-confidence validation: Every submission is vetted, reproduced, and technically analyzed before it becomes an advisory. This removes ambiguity and gives your security teams validated information without requiring their own reverse engineering.
Earlier understanding of vulnerability behavior: TrendAI™ ZDI's analysis clarifies exploitability, impact, and the conditions required to trigger a flaw. This context helps your teams configure controls, segmentation strategies, and operational safeguards while awaiting patches.
Consistent disclosure governance: Because TrendAI™ ZDI manages disclosure timelines and not individual vendors, TrendAI™ customers and organizations get more predictable publication windows and clearer guidance. This supports coordinated patch cycles across multiple technologies.
By combining researcher-driven discovery, coordinated disclosure, and available protections, TrendAI™ ZDI enables a more informed, resilient approach to vulnerability management.
From discovery and private disclosure to public protection, TrendAI™ ZDI's process is built on validation, coordination, and clarity that strengthen vulnerability management. Join our concerted effort to move security forward.
