15 Years of the Zero Day Initiative

August 20, 2020 | Brian Gorenc

Starting in 2005, 3Com announced a new program called the Zero Day Initiative. The plan was to financially reward researchers who discover previously unknown software vulnerabilities (“zero-day vulnerabilities”) and disclose them responsibly. The information about the vulnerability would be used to provide early protection to customers through TippingPoint IPS (Intrusion Prevention System) filters while the ZDI worked with the affected product’s maker to fix the vulnerability. That year, the ZDI published a total of one advisory, pertaining to Symantec VERITAS NetBackup. Fifteen years later, we’ve published more than 7,500 advisories as we evolved into the world’s largest vendor-agnostic bug bounty program. To say it’s been a journey is an understatement. It’s certainly had some ups and downs, but the program is stronger than ever and on track for our largest year ever. As we begin our 16th year, let’s take a look at some of the more notable happenings in the life of the ZDI program. 

2005 – 2010

Looking back at our activities through these years induces nostalgia as it reminds us of the bugs we bought in products (and companies) that are no longer with us. We can also see the rise of research into different products and technologies. For example, we bought only two Apple bugs in 2006. That number rose to 52 by 2010. Java bugs, particularly sandbox escapes, were also popular during this time. It’s a bit odd to look back at the progression from buying bugs in what was simply known as “Java”, to buying bugs in “Sun Microsystems Java”, to buying bugs in “Oracle Java”.

This time period also saw the first Pwn2Own contest, which was in 2007. The contest launched at a time when “I’m a Mac. And I’m a PC” commercials dominated the airwaves and Apple devices had an aura of invincibility around them. Astute security researchers knew better, and Dino Dai Zovi proved it, winning himself a MacBook and $10,000. The contest has grown exponentially since that time. There are now three different competitions: Pwn2Own Vancouver, which focuses on enterprise software; Pwn2Own Tokyo, which focuses on consumer devices; and Pwn2Own Miami, introduced this year with a focus on ICS-SCADA products. Pwn2Own also served as a “coming out” for many high-profile researchers who, after winning the contest, went on to work on various prestigious teams and projects. 

2010 – 2015

This was a transitional period for the program as 3Com, together with ZDI, was purchased by Hewlett-Packard, then later split off as part of Hewlett Packard Enterprise. However, the core principles upon which the program was founded on remain the core principles we operate by today:

-       Encourage the responsible disclosure of zero-day vulnerabilities to the affected vendors.
-       Fairly credit and compensate the participating researchers, including yearly bonuses for researchers who are especially productive within the program.
-       Hold product vendors accountable by setting a reasonable deadline for remediating reported vulnerabilities.
-       Protect our customers and the larger ecosystem.

By this time, the ZDI was large enough to have an impact on the overall ecosystem. It was during this period that we grew to become the world’s largest vendor-agnostic bug bounty program, a title we still hold. In 2011, we had our first public zero-day disclosure when a vendor failed to meet the patch deadline. Over the years, holding vendors accountable has helped lower their response time from more than 180 days to less than 120. Even though we reduced our disclosure window, the rate of 0-day disclosure stayed relatively consistent.

Another big change during this period was the increase in research work done by the vulnerability researchers employed by the ZDI program. There have always been great people working on the program doing root cause analysis on submissions, but an increase in the size of the team allowed for members of ZDI to begin reporting their own bugs as well. ZDI researchers increasingly published their findings and expanded their speaking at high-profile conferences including Black Hat and DEFCON.

The increased size also helped spot some trends in exploitation. It was also during this time that we saw a surge in submissions of Java bugs. However, once browsers implemented “Click-to-Play,” practical exploitation became more difficult. Bugs exploiting Use-After-Free (UAF) conditions in Internet Explorer were also quite common until the Isolated Heap and MemGC mitigation were silently introduced by Microsoft. ZDI researchers found a way to exploit the mitigations and were awarded $125,000 from Microsoft for the submission. Interestingly, Microsoft chose not to fix all the submitted bugs, so a portion of the report ended up as a publicly-released 0-day. In case you’re wondering, all of the money was donated to various STEM charities.

During this timeframe, the bug bounty landscape became normalized and broadened. Vendors such as Microsoft and Google started their own bounty programs. Bug bounty platforms were created that allowed companies like Starbucks and Uber to offer bounties. The idea of crowdsourcing research entered the mainstream. Not every program was successful, as some vendors suddenly realized that if you offer money for bug reports, you get bug reports. This left some companies scrambling to react after starting their program with mixed results. It was definitely a time of growth and learning throughout the industry.

Pwn2Own continued to grow as well. 2010 saw Pwn2Own’s first successful mobile device exploit, demonstrated by Ralf-Philipp Weinmann and Vincenzo Iozzo against the Apple iPhone 3GS. We also started seeing vendors release large patches just before the contest. Since the rules require the “latest version” for all exploits, contestants often found themselves “patched out” just before the contest. It also meant the ZDI had to scramble to get the targets up to date with all of the latest patches – often staying up all night installing updates. In 2012, a second contest – Mobile Pwn2Own – was added to focus on phones and tablets.

2015 – Present

In 2015, Trend Micro acquired the HP TippingPoint IPS and the ZDI program along with it. This opened a new world of opportunity for ZDI, as the vulnerability intelligence produced by the ZDI program could now be used to improve not only the TippingPoint IPS but other products within Trend Micro’s line of security solutions as well. ZDI’s association with Trend Micro also resulted in a massive increase in interest in vulnerabilities in Trend Micro products themselves. To their credit, Trend Micro product teams have not shied away from the work of fixing the bugs submitted by independent ZDI researchers, and we have established a Targeted Initiative Program just for select Trend products.

The threat landscape shifted as well. Before 2015, we rarely saw an Adobe Reader submission outside of Pwn2Own. Once we reached 2015, there were more than 100 submissions. Many of those reports were submitted by ZDI researchers. Overall, internal finds represent ~20% of all of the cases we process every year. Bugs affecting Acrobat, Foxit, and other PDF readers continue to be prevalent. We’ve also seen the rise of deserialization bugs and a sharp increase in ICS/SCADA vulnerabilities. Home routers have also become a popular target since they can be compromised en masse to be used in botnets and DDoS attacks. As a result, the ZDI adapted and began accepting hardware-related submissions, especially those related to IoT devices.

The introduction of the Wassenaar Arrangement posed some challenges – especially when purchasing bug reports from member countries. However, we were able to navigate the paperwork needed to transfer “cyber arms” and stay on the right side of the law. 

The Virtualization category was introduced to Pwn2Own in 2016, and since that time, we’ve had several guest-to-host escapes demonstrated. The contest celebrated its 10th anniversary in 2017 by acquiring 51 0-day vulnerabilities over the three-day contest. In 2019, we partnered with Tesla to award a Model 3 to a pair of researchers who exploited the car’s infotainment system. ZDI researchers also demonstrated their own exploit of the infotainment system. The contestants have changed over the years, as well. In the beginning, individual researchers made up the majority of entries with only a few teams participating. At one point, this shifted to most participants being teams sponsored by their employers. There have even been instances of teams filing bug reports with vendors before the contest in the hopes of killing their competitors’ exploits. In the past couple of years, that has shifted back towards individuals and small, independent teams.

And we’ve never stopped growing. We hit our peak of 1,450 published advisories in 2018, and we’re set to eclipse that this year. In fact, we’ve been recognized as the world’s leading vulnerability research organization for the past 13 years. According to Omdia, the ZDI was responsible for over half of all measured vulnerability disclosures in 2019, more than any other vendor.

Moving Forward

Over the past 15 years, we’ve seen trends in the exploit economy and vulnerability marketplace come and go, but through it all, we’ve been laser-focused on one thing: making the digital world more secure, one CVE at a time. Through the tireless work of ZDI researchers and the wider community, we’re determined to continue disrupting the vast cybercrime economy and raising the bar for enterprise software security for the next 15 years and beyond.

We look forward to what tomorrow brings.