Announcing a Targeted Incentive Program for Selected Trend Micro Products

When Trend Micro acquired TippingPoint and the Zero Day Initiative back in 2016, we knew we would see an increase in bug submissions for Trend Micro products. This is to be expected. Although we had only purchased seven bug reports impacting Trend Micro between 2008 to 2015, researchers correctly assumed we would now be looking to purchase Trend Micro related bugs. And our world-wide network of independent researchers did not disappoint. In the first three years following the acquisition, we purchased 310 Trend-related bugs. However, in 2019, we only purchased one bug impacting Trend Micro.

Of course, this doesn’t mean that we’ve purchased all the bugs there are to be purchased. We’ve been running our bounty program since 2005 and know that’s not the case. It does mean that we aren’t utilizing the world’s largest vendor agnostic bug bounty program – the Zero Day Initiative – to the fullest extent to help find and fix vulnerabilities in Trend Micro products. We’re hoping to change that.

Today, we are excited to announce a special Targeted Incentive Program (TIP) for selected Trend Micro products. Similar to our existing TIP initiative, this new program offers researchers special monetary awards for bug submissions in specific Trend Micro products. Through the existing TIP initiative, we offer special monetary awards for mainly server-side targets, but only for the first successful entry. Our new TIP for Trend Micro products has no such limits and multiple submissions could earn a full award.

To start this program, we will be looking at the following Trend Micro products:

·  Apex One
·  OfficeScan
· Deep Security

All of these products are available from the Trend Micro Download Center. While this is our initial list of products, we expect to add other Trend Micro offerings as the program evolves.

Different payouts are available based on the type of bug and quality of the submission provided by the researcher, with the highest payout being provided for fully functioning exploits that demonstrate arbitrary code execution. We’ll also be awarding local privilege escalations (LPE), information disclosure bugs, and vulnerabilities that bypass authentication. While a full exploit will be eligible for the maximum payout, submissions that only include a proof of concept will still be accepted, they just won’t earn the maximum award. As always, the vulnerabilities are required to be zero-day vulnerabilities and should affect the selected target to receive the maximum bounty. Here’s a table of the available payouts:

Low severity vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF) are out of scope of this program.

There are a few other benefits we are including in this program. Qualifying submissions will earn an equivalent amount of ZDI researcher points. Similar to frequent flyer miles, accumulated points provide one-time cash payouts and percentage bonuses on future submissions. Again, there is no longer an “end date” to any of these targets, and you don’t have to be the first submission to earn a full award.

Offering a bug bounty provides a level of continuous testing for targets – provided the incentive is there for the researchers participating in the program. It’s our desire that this program encourages researchers to submit meaningful bugs in Trend Micro products so that we can then fix them and improve the security posture of our customers. Here at Trend Micro, we will still thoroughly test and audit our products, but we can do more by combining our efforts with independent researchers around the globe.

We’re looking forward to finding – and eliminating – as many bugs as possible. Want to disrupt some bad guys and get financially compensated for doing so? Submit your entry to this new TIP initiative today. Researchers should reach out to us via email* for applicability of specific configurations as it relates to the TIP awards.

Be sure to follow this blog and our Twitter for the latest information and updates about the program. We look forward to seeing the bug reports, and best of luck to all those submitting research.

*As a reminder, all communications should be PGP encrypted. Our PGP public key is found here.
Our PGP fingerprint is 743F 60DB 46EA C4A0 1F7D B545 8088 FEDF 9A5F D228.