TippingPoint Zero Day Initiative
 

Frequently Asked Questions

1. When/How can I sign up?
2. Who is TippingPoint?
3. Why did you create the Zero Day Initiative (ZDI)?
4. Why should I go to TippingPoint with my vulnerability discovery rather than somewhere else?
5. So are you encouraging me to try to violate the license or other terms applicable to vendors' products?
6. Since TippingPoint customers are protected prior to the disclosure, are they aware of the vulnerability?
7. Why are you giving advance notice of the vulnerability information you've bought to other security vendors, including competitors?
8. What types of security vendors are eligible for the advanced notice?When/How can I sign up?
9. What is the procedure for security vendors to receive vulnerability information?
10. How do security researchers keep track of ZDI reward points and pending cases?
11. Under the Zero Day Initiative Rewards program, what is a ZDI reward points multiplier?
12. What format does my vulnerability report need to be in?
13. Once I submit something, how long will it take to get an offer?
14. How does payment work?
15. Once I accept an offer, how long does it take to receive payment?
16. How many vulnerability reports can I send in?
17. Once I agree to assign a vulnerability to TippingPoint, am I allowed to distribute it, assign or sell it elsewhere, discuss it, or leak details about it?
18. What if another researcher submits the same vulnerability information as I do?
19. How will you really be able to know if I distribute it, sell it elsewhere, discuss it, or leak details about it?
20. How do you ensure that product vendors promptly fix the vulnerabilities that TippingPoint reports to them?
21. When you make contact with the vendor, can you keep me in the loop?
22. Do I have to file and send you a W-9 form if I am a US taxpayer?
23. Must I be a US resident to participate?
24. Do you have to know who I am to in order for me to participate in the incentive program?
25. What if I want to remain anonymous when the vulnerability is made public in an advisory by you/the vendor?

1. When/How can I sign up?

The ZDI Secure Portal is available at https://www.zerodayinitiative.com/portal. Contact us if you are a security vendor who feels that they qualify for advance notice (refer to the question below on vendor qualifications).

2. Who is TippingPoint?

TippingPoint, launched the first intrusion prevention system in 2002. The company quickly became the leading provider of intrusion prevention systems that deliver in-depth application, infrastructure, and performance protection for corporate enterprises, government agencies, service providers, and academic institutions. TippingPoint's innovative approach offers customers unmatched network-based security with unrivaled economics, ultra-high performance, scalability and reliability.

TippingPoint provides a "virtual patch" functionality that protects vulnerable systems from compromise when host-by-host patches have not been applied or do not yet exist from the vendor. Our security research team develops new Digital Vaccine® protection filters that address the latest vulnerabilities and are constantly distributed to our customers' intrusion prevention systems. By writing vulnerability filters for security issues that come in through the Zero Day Initiative, we can maintain a competitive edge while protecting our customers and encouraging security researchers to bring findings into the public domain.

TippingPoint's goal is to provide the world's best intrusion prevention systems and secure converged networking infrastructure. The company aims to help customers avoid or mitigate threats to their networks, services, corporate information assets, computers and proprietary information before a crisis occurs, thereby minimizing disruption to network and business operations.

3. Why did you create the Zero Day Initiative (ZDI)?

Increasingly, an ecosystem is developing around technical security research knowledge concerning as-yet-undisclosed vulnerabilities. We believe that one effective way to capture this data is by establishing a best-of-breed research clearing house and community.

TippingPoint's goal for the Zero Day Initiative is to provide our customers with the world's best intrusion prevention systems and secure converged networking infrastructure. In order to accomplish our goal, we require access to the best and most timely security intelligence available.

The ZDI will additionally benefit computer users, computer technology vendors, businesses and the security community alike:

  • It ensures responsible disclosure of vulnerabilities, giving affected vendors the opportunity to issue solutions/patches to end users

  • By giving advance notice to other security vendors, their customers may receive quicker and more effective protection responses from those vendors

  • It makes the general Internet and technology community safer for computer users

  • It gives participating security researchers the positive recognition they desire

  • It gives TippingPoint the ability to provide customers with zero-day protection

4. Why should I go to TippingPoint with my vulnerability discovery rather than somewhere else?

TippingPoint has invested considerable resources to ensure the Zero Day Initiative is successful. We believe you will find our rewards program is the most lucrative to any researcher. Besides the obvious benefit of more compensation and higher incentives, the ZDI's approach to the acquisition of vulnerability information is different than any program to date. No technical details concerning the vulnerability are sent out publicly until the vendor has released a patch. Any protection filters written for submitted vulnerabilities that TippingPoint distributes to its IPS customers are obscured by being described only in very general terms and are encrypted to prevent reverse engineering.

5. So are you encouraging me to try to violate the license or other terms applicable to vendors' products?

Absolutely not. The ZDI does not encourage or promote the violation of licenses or other restrictions applicable to any vendor's product. However, we are encouraging security researchers and other individuals who become aware of vulnerabilities to participate in our program for their own financial benefit and for the benefit of the vendor, security and end user communities at large.

6. Since TippingPoint customers are protected prior to the disclosure, are they aware of the vulnerability?

In order to maintain the secrecy of a researcher's vulnerability discovery until a product vendor can develop a patch, TippingPoint customers are only provided a generic description of the filter provided but are not informed of the vulnerability. Once details are made public in coordination with the product vendor, TippingPoint's Digital Vaccine® service for the Intrusion Prevention System provides an updated description so that customers can identify the appropriate filters that were protecting them. In other words TippingPoint will be protected from the vulnerability in advance, but they will not be able to tell from the description what the vulnerability is.

7. Why are you giving advance notice of the vulnerability information you've bought to other security vendors, including competitors?

We are sharing with other security vendors in an effort to do the most good with the information we have acquired. We feel we can still maintain a competitive advantage with respect to our customers while facilitating the protection of a customer base larger than our own.

8. What types of security vendors are eligible for the advanced notice?When/How can I sign up?

We are currently only offering advance notice to other IPS vendors. In order to qualify for advance notice, the security vendors must be in a position to remediate or provide protection of vulnerabilities with their solution, while not revealing details of the vulnerability itself to customers. The security vendor's product must also be resistant to discovery of the vulnerability through trivial reverse engineering.

9. What is the procedure for security vendors to receive vulnerability information?

The security vendor must show they are able to provide security protection for vulnerabilities. They also must agree to give the appropriate credit to the original researcher and provide a link back to TippingPoints's original ZDI advisory in their own filter/alert/database descriptions. Please contact us at zdi [at] tippingpoint [dot] com if you feel your company qualifies and would like to join the program.

10. How do security researchers keep track of ZDI reward points and pending cases?

Once you sign on as a new researcher in the ZDI program, you are given login credentials to the portal. On the ZDI site, you can track your current Rewards points, review the status of all pending cases, and view where your vulnerabilities are in the vendor disclosure lifecycle.

11. Under the Zero Day Initiative Rewards program, what is a ZDI reward points multiplier?

A multiplier is an added incentive to frequent researchers. An example is if you have ZDI Platinum status and receive a vulnerability valuation of $5,000, then you would receive a payment of $6,000 (25% multiplier) and 10,000 reward points (100% multiplier).

12. What format does my vulnerability report need to be in?

Researchers can submit their vulnerabilities in any form they choose (e.g., sample exploit code, a detailed description of the vulnerability, etc.). A TippingPoint security researcher will likely follow up directly with the researcher if more details are needed.

13. Once I submit something, how long will it take to get an offer?

Verification times vary from a few days to a few weeks depending on a number of factors such as the current queue of vulnerability submissions, the complexity of verification and the difficultly of obtaining and configuring the target environment. On average we have a response for you within two weeks.

14. How does payment work?

TippingPoint's methods of payment is through bank wire transfer or mailed check. Researchers can decide which method suits them best when they sign on to the ZDI portal and set their preferences.

15. Once I accept an offer, how long does it take to receive payment?

Depending on the reward method you prefer (Wire transfer or Check), it may take anywhere from two to three weeks.

16. How many vulnerability reports can I send in?

There is no limit on the number of vulnerability reports.

17. Once I agree to assign a vulnerability to TippingPoint, am I allowed to distribute it, assign or sell it elsewhere, discuss it, or leak details about it?

No. The reason we're making such an investment in vulnerabilities is to maintain exclusivity and also to protect all end users, including non-TippingPoint customers, until a patch is available from the vendor.

18. What if another researcher submits the same vulnerability information as I do?

On occasion, we may receive information from multiple researchers regarding the same vulnerability in the same vendor product. If this occurs, the first researcher who provides information that can be verified by our ZDI team will be compensated, if they accept our offer. Subsequent researchers submitting the same vulnerability will not.

19. How will you really be able to know if I distribute it, sell it elsewhere, discuss it, or leak details about it?

The success of the ZDI depends on mutual trust between TippingPoint and ZDI researchers. Researchers trust TippingPoint not to do anything with the vulnerability report until a mutual agreement is in place. We trust you to grant us exclusive access to this information. If researchers violate exclusivity, they will be prohibited from further participating in the ZDI.

20. How do you ensure that product vendors promptly fix the vulnerabilities that TippingPoint reports to them?

TippingPoint follows its Vulnerability Disclosure Policy when reporting security vulnerabilities to product vendors. Obviously, responsible disclosure only works well when an affected product vendor makes a concerted effort to evaluate and address the reported flaw. TippingPoint will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, TippingPoint will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. In no cases will an acquired vulnerability be "kept quiet" because a product vendor does not wish to address it.

21. When you make contact with the vendor, can you keep me in the loop?

Absolutely. We will let you know where things stand with all of your own current cases with regards to vendor disclosure. This information is tracked in your section of the ZDI portal.

22. Do I have to file and send you a W-9 form if I am a US taxpayer?

Yes. If you are a U.S. citizen (including a resident alien) for IRS tax purposes, you must provide us a completed and signed W-9 form prior to receiving any payments from us. Click here for a blank W-9 form.

23. Must I be a US resident to participate?

No. Individuals from most countries globally can participate in the ZDI. If there are issues with your participation due to the country in which you live, you will be advised of this during the application process and the ZDI team will make all accommodations legally permissible to allow your participation.

24. Do you have to know who I am to in order for me to participate in the incentive program?

Yes. For financial accountability and tax reporting purposes, we need to know who we're sending payments to. For ethical oversight, we need to ensure we're not dealing with known blackhats or illegal groups.

25. What if I want to remain anonymous when the vulnerability is made public in an advisory by you/the vendor?

We will keep your identity hidden from the public and/or vendor according to your wishes.