The ZDI 2017 Retrospective

January 04, 2018 | Dustin Childs

When we left 2016, we said goodbye to our busiest year ever as the world’s largest vendor-agnostic bug bounty program. Little did we know that not only would we have a busier 2017, the Zero Day Initiative (ZDI) would exceed the previous year’s total by a whopping 309 advisories. When all was said and done, we published 700 advisories in 2016. While a case or two may trickle in as vendors notify us of patches, our current total for last year stands at 1,009. To add a little perspective to that, our year-over-year increase was greater than the total number of advisories we published in 2013. The knowledge gained from processing that many submissions confirmed some guesses, offered some surprises, and provided a glimpse at what’s to come.

By the Numbers

As mentioned, the ZDI published 1,009 advisories in 2017 – 309 more than were published in 2016. Of these, 119 (nearly 12%) were published as 0-day – an increase from 8% last year. Still, that means that 890 different issues were successfully coordinated with the vendor to release alongside a patch or other mitigation. These vulnerability reports didn’t just end up as security patches from vendors. Our colleagues over at DVLabs generated more than 750 pre-disclosure filters to help protect Trend Micro customers while vendors worked on a patch for everyone else.

Let us begin by acknowledging we could not have published these advisories without the talented and diverse group of researchers contributing to our program. People from around the globe send vulnerability reports to the ZDI, and the quality and volume never disappoints. Our program would not be successful without our worldwide community of researchers, and we thank them for their contributions.

Our program also relies on vendors patching the vulnerabilities we report to them, and we thank them for the work they do as well.

In 2016, the ZDI published more Adobe advisories than any other single vendor. In 2017, that title was claimed by Trend Micro, with 21% of our published advisories affecting our parent company. That also explains why there was such an increase – once Trend Micro acquired TippingPoint and ZDI, researchers knew we would likely purchase these reports. We experienced a similar influx of cases when first acquired by HPE as well. Adobe wasn’t too far behind, as they still accounted for 18% of our published advisories. Foxit was the next largest with 10%, while Microsoft and HPE both accounted for 9% each of the published advisories.

Here’s the overall breakdown of vendors ZDI published advisories for in 2017:

Breakdown of vendors ZDI published advisories for in 2017

Although the number of Adobe submission in total increased this year, we saw the number of reports in Adobe Flash decrease from 2016. After Adobe announced the impending end of Flash, researchers began to turn their attention elsewhere – namely PDF documents. If you add the number of Adobe Reader, Foxit Reader, Microsoft Windows PDF Library, and other PDF-related advisories together, the total becomes close to 30% of the 2017 advisories. What’s really interesting here is that the submissions in PDF-related vulnerabilities don’t seem to be slowing at all and will likely continue as a trend in 2018.

Dealing with Rejection

Still, not every report we receive becomes an advisory. In fact, only 36.5% of submissions end up being published as an advisory. Reasons for rejecting a submission vary (see our FAQ), but this rate of rejection is similar to what we’ve seen in previous years. It’s also interesting to see which vendors have the most reports submitted. Adobe, Foxit, Microsoft, and HPE all had more submissions than Trend Micro even though these submissions resulted in fewer published advisories. This shows that some vendors are more popular with security researchers. Not surprisingly, those vendors produce a wide variety of software that attracts a wide variety of researchers.

We also receive many submissions for products or vulnerability types we’re simply not interested in. We are not currently offering on bug reports involving: cross-site scripting (XSS), DLL planting, Denial of Service (DOS), web-based or online tools, ActiveX, post-authentication, most consumer products (widely used security products and some IoT may be the exception) and anything already publicly posted or otherwise known. If you are considering submitting to the program, we highly recommend taking a look at this blog post detailing what types of vulnerability reports we are purchasing and how to maximize the value of your research.

Spotting the Trend

We’ve already mentioned the trend of submissions moving away from Flash and moving towards PDF readers, but a few other categories look to be prominent in 2018 as well. As a program, these are the areas where we are investing our own research time, and we’d love to see your submissions in these topics, as well.

Virtual Machines

At this year’s Pwn2Own, two different teams demonstrated a guest-to-host escape in VMware. Since then, we’ve seen additional submissions in VMware, plus reports on Microsoft Hyper-V, Joyent SmartOS, and Oracle VM VirtualBox. While many consider the web browser the gateway to the cloud, virtual machines comprise the backbone of the cloud. Security researchers will continue to target these platforms as virtual machines increasingly touch various pieces of our day-to-day computing. 

Baseband

Our recent Mobile Pwn2Own saw two different baseband exploits demonstrated by competitors. With the ubiquity of mobile computing, rogue baseband towers could create havoc. We were definitely shocked to find a simple stack-based buffer overflow was all that was required to gain code execution on a target handset. We’re looking at baseband attacks closely now and expect others will be doing the same.

JavaScript/JIT

If you followed our series of Top 5 interesting bugs of 2017, you would have noticed a blog involving a pair of internally discovered JavaScript bugs. In fact, JavaScript is often a topic pursued by ZDI researchers and submitted to the program. Similarly, JIT bugs are also a topic we also talk about frequently. While compiler-introduced bugs have existed for years, the proliferation of JavaScript now means these compiler-introduced vulnerabilities can be triggered remotely. As the most commonly used programming language on Earth, researchers will undoubtedly continue to uncover high-severity bugs in JavaScript engines.

Looking Ahead

If history is any indicator, 2018 will be an even bigger year than 2017. We’ve already published our first advisories of the new year, including our first 0-days of 2018.

Published advisories from 2005 to 2017

We currently have more than 300 submissions listed on our Upcoming page and no indication we’re slowing down. We’re also gearing up for the next Pwn2Own, which promises to be even bigger and better than ever before. Maybe we’ll break the $1,000,000 barrier for the contest after hitting $833,000 last year. Perhaps we’ll even get around to updating our website – it’s our New Year’s resolution (again). Until then, stay safe, stay tuned to this blog, and follow us on Twitter for the latest updates from the ZDI.