Updates and Enhancements to the Targeted Incentive ProgramMay 13, 2019 | Brian Gorenc
In July of 2018, the ZDI announced our Targeted Incentive Program (TIP) – a special program for research in what we deemed high-value targets. In our initial launch of the program, we focused on server-side vulnerabilities with the initial target list including Joomla, Drupal, WordPress, NGINX, Apache Web Server, and Microsoft IIS. In the autumn of 2018, we updated the TIP initiative with additional, high profile (and high reward) servers, including ISC BIND and Microsoft SMB. Today, we’re adjusting some of the rules, adding some new targets, and increasing the available awards to over $2,000,000 USD.
The goal of TIP has always been to increase the number of critical class, server-side vulnerabilities the ZDI receives from the research community. Through the TIP initiative, we originally offered special monetary awards for these targets, but only for the first successful entry and only for a certain period of time.
We received a few submissions (check out this write-up of a Drupal submission) and quite a bit of feedback from researchers. One of the biggest pieces of feedback we received had to do with the timelines on each product. People felt there just wasn’t enough time allotted to research and build a functioning exploit – especially for the higher-profile targets that have had years of defensive research already integrated into them. We heard you. As of today, targets covered by the TIP initiative will no longer be time constrained. As before, the bounty for each target will only be available until the first researcher provides a fully functioning exploit that demonstrates code execution, but outside of that, there’s no end date for the target. Once the prize for that particular target is claimed, it will be removed from TIP. New targets can be added to the program at any time as well.
After we launched the TIP initiative, we also heard from Trend Micro customers. While they were definitely intrigued about the included targets, their first question was almost inevitably, “What about containers?” That’s a good question. Application Containers offer many advantages over more traditional virtualization by allowing increased scalability and portability, fast deployments, and – at least according to container vendors – increased security. However, as with virtual machines, the isolation promised by containerization isn’t always guaranteed, as container escapes have been documented in the past. With that in mind, we are now including the Docker and the Kubernetes container orchestration systems in the TIP initiative.
We also recognize the importance of high profile (and prolifically deployed) Microsoft enterprise applications. We’ve seen some incredibly interesting research on Microsoft Exchange in the past, and we’d love to see even more. The mail server joins the Outlook mail client in this new, enterprise-focused category.
These products join the previously available targets in the categories of Content Management Systems (CMS), Web Servers, and Protocols & Standards. Here’s a complete list of the current TIP targets and their maximum available bounty:
Similar to winning Pwn2Own demonstrations, successful TIP entries need to be fully functioning exploits – not just proofs of concept. The vulnerabilities are required to be true 0-days and should affect the core code of the selected target. A successful entry must leverage a vulnerability (or vulnerabilities) to modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions. Successful entries must defeat the target’s mitigations designed to ensure the safe execution of code, such as, but not limited to, Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and/or application sandboxing. Submissions in commonly deployed add-ons or plug-ins may be considered for awards, but it depends on the usage and deployment of the specific add-on/plug-in. Researchers should reach out to us via email* for applicability of specific configurations as it relates to the TIP awards.
As with the existing program, the first exploit to successfully compromise a target will be awarded the amount indicated for that specific product. Again, there is no longer an “end date” to any of these targets. Each program will remain in scope until a winning entry is received. Subsequent submissions may still be purchased by the ZDI through the standard bug reporting process. Additional targets will be added to the program as existing targets drop off.
We will announce winners and any new categories on this blog as the TIP initiative continues. It’s our desire to provide a detailed analysis of the winning bug reports as they are patched by the vendors, so definitely stay tuned to the blog for exploit details and demonstrations.
The programs included in TIP represent some of the most widely used and relied upon software in modern computing. That makes the bug reports we’re seeking some of the most potentially impactful vulnerabilities out there. We’re looking forward to finding – and eliminating – as many of these bugs as possible. Want to disrupt some bad guys and get financially compensated for doing so? Submit your entry to the TIP initiative today.
Be sure to follow this blog and our Twitter for the latest information and updates about the program. We look forward to seeing the bug reports, and best of luck to all those submitting research.
*As a reminder, all submissions should be PGP encrypted. Our PGP public key is found here.
Our PGP fingerprint is 743F 60DB 46EA C4A0 1F7D B545 8088 FEDF 9A5F D228.