Why Did We Create the Zero Day Initiative?
Today, there still remains a perception by some in the information security industry that vulnerability researchers are malicious hackers looking to do harm. While there clearly are skilled malicious hackers out there, this remains a very small minority of the total number of people who actually discover new software flaws. In reality, the number of benevolent researchers with the expertise required to discover a software vulnerability is a sizeable, and fast growing group. The dissemination of publicly available vulnerability analysis and discovery tools has helped foster this group of security enthusiasts. Also, it is not uncommon for "white hat" security professionals to stumble onto a new flaw while doing their day-to-day security work.
TippingPoint has its own security research organizations via DVLabs. It made perfect sense however to augment DVLabs with the additional zero day research of this growing network of "extended researchers". Our approach was the formation of the Zero Day Initiative (ZDI), launched on August 15, 2005. (You can read some more retrospective on the initial beginnings of the ZDI in this blog posting.) The main goals of the ZDI are to:
- Extend our DVLabs research team by leveraging the methodologies, expertise, and time of others
- Encourage the reporting of zero day vulnerabilities responsibly to the affected vendors by financially rewarding researchers
- Protect our customers through the TippingPoint Intrusion Prevention Systems (IPS) while the affected vendor is working on a patch
We do not resell or redistribute the vulnerabilities that are acquired through the ZDI.
How Does it Work?
Interested researchers provide TippingPoint with exclusive information about previously un-patched vulnerabilities they have discovered. TippingPoint collects background information in order to validate the identity of the researcher for ethical and financial oversight. TippingPoint validates the issue in its security labs and makes a monetary offer to the researcher. If the researcher accepts the offer, he/she will be paid promptly. As a researcher discovers and provides additional vulnerability research, bonuses and rewards can increase through a loyalty program similar to a frequent flier miles program.
After an agreement has been reached for the acquisition of a researcher's vulnerability, TippingPoint simultaneously develops IPS protection filters and notifies the affected vendor so the vendor can develop a vulnerability patch. TippingPoint discloses any and all acquired vulnerabilities to product vendors in accordance with the TippingPoint Vulnerability Disclosure Policy.
The disclosure policy ensures that both researchers and product vendors understand how TippingPoint handles vulnerability information. This policy further reassures researchers that in no case will any of their discoveries be "swept under the rug". It also reassures product vendors that there is a professional and standard set of guidelines they can expect to be utilized throughout the disclosure process.
Once a patch is ready from the affected vendor, TippingPoint works collaboratively with that vendor to notify the public of the vulnerability through a joint advisory that provides full credit to the originating researcher, unless the researcher chooses to remain anonymous. Before public disclosure of the vulnerability, TippingPoint also shares the technical details of the vulnerability with other security vendors so they too may prepare an appropriate security response for their customers. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.
In order to maintain the secrecy of a researcher's vulnerability discovery until a product vendor can develop a patch, TippingPoint customers are only given a generic description of the filter provided, not the vulnerability itself. Once details are made public in coordination with the product vendor, TippingPoint's Digital Vaccine service for the Intrusion Prevention System provides an updated description so customers can identify the appropriate filters that were protecting them. In other words, TippingPoint customers will be protected from the vulnerability in advance, but they will not be able to discern the vulnerability itself.
The process is detailed below:
- A researcher discovers a vulnerability.
- Researcher logs into the secure ZDI portal and submits the vulnerability for verification and valuation.
- A case ID is generated allowing the researcher to uniquely identify and track the vulnerability through the ZDI secure portal.
- TippingPoint verifies the vulnerability and decides whether to make an offer.
- TippingPoint makes an offer for the vulnerability. The offer is sent to the researcher via e-mail.
- The researcher accepts the offer, assigning exclusivity of the information to TippingPoint.
- The researcher is paid via check or wire transfer. TippingPoint notifies the affected product vendor and IPS protection filters are distributed to TippingPoint customers.
- Later, TippingPoint shares advance notice of the vulnerability details to other security vendors prior to public disclosure.
- TippingPoint and the affected product vendor coordinate public disclosure through a security advisory once a patch is ready. The researcher is given full credit for the vulnerability discovery or alternatively can remain anonymous to the public.