TippingPoint Zero Day Initiative
 

Program Benefits

The amount we offer to a researcher for a particular vulnerability depends on the following criteria:

  • Is the affected product widely deployed?

  • Can exploiting the flaw lead to a server or client compromise? At what privilege level?

  • Is the flaw exposed in default configurations/installations?

  • Are the affected products high value (e.g. databases, e-commerce servers, DNS, routers, firewalls)?

  • Does the attacker need to social engineer his victim? (e.g. clicking a link, visiting a site, connecting to a server, etc.)

To determine the worth of a vulnerability, researchers should sign up for an account and submit it for a valuation. If an offer is not made or an offer is made but not accepted by the researcher, the vulnerability information will remain the property of the researcher and will not be used in the Zero Day Initiative (ZDI) program. We reserve the right to not make an offer to acquire a vulnerability for any or no reason.

The success of the ZDI program depends on developing a mutual trust and loyalty over time with participating security researchers. To reward repeated patronage of the ZDI, we developed the following incentive programs.

ZDI Referral Program

For each new researcher that is referred to the ZDI, the referrer is given 2,500 ZDI Rewards points (see below) after that referral's first vulnerability is acquired under the ZDI.

ZDI Rewards Program

As a member of the ZDI program, you earn points each time a vulnerability submission is purchased. Points are treated in a manner similar to airline frequent flyer miles - points accrue each year on a dollar-for-dollar basis based on the total amount paid for vulnerability submissions by the researcher during that calendar year. For instance, if the Zero Day Initiative buys your vulnerability for $5,000, then you receive 5,000 points for that submission. For all of calendar year 2008, if you received 37,000 points, then for calendar year 2009 you will be considered to have ZDI Gold status. The following are the various levels of ZDI Reward membership:

ZDI Rewards

Each level offers exclusive awards and benefits, each of which last for the one calendar year period following the year in which the points were earned:

ZDI Bronze:

  • 10% automatic monetary bonus on all vulnerability submissions over the next calendar year

  • One-time bonus of $1,000

ZDI Silver:

  • 15% automatic monetary bonus on all vulnerability submissions over the next calendar year

  • 25% ZDI Reward points multiplier on all vulnerability submissions over the next calendar year

  • One-time bonus of $5,000

  • Paid Travel and Registration to attend the DEFCON Conference in Las Vegas

ZDI Gold:

  • 20% automatic monetary bonus on all vulnerability submissions over the next calendar year

  • 50% ZDI Reward points multiplier on all vulnerability submissions over the next calendar year

  • One-time bonus of $10,000

  • Paid Travel and Registration to attend DEFCON and BlackHat Conferences in Las Vegas

ZDI Platinum:

  • 25% automatic monetary bonus on all vulnerability submissions over the next calendar year

  • 100% ZDI Reward points multiplier on all vulnerability submissions over the next calendar year

  • One-time bonus of $20,000

  • Paid Travel and Registration to attend DEFCON, BlackHat Conferences, and BlackHat Training in Las Vegas

ZDI Diamond:

  • 30% automatic monetary bonus on all vulnerability submissions over the next calendar year

  • 125% ZDI Reward points multiplier on all vulnerability submissions over the next calendar year

  • One-time bonus of $25,000

  • Paid Travel and Registration to attend DEFCON, BlackHat Conferences, and BlackHat Training in Las Vegas