Frequently Asked Questions

  • ABOUT TIPPINGPOINT
  • WHO IS TIPPINGPOINT?

    TippingPoint launched the first intrusion prevention system in 2002. We provide a "virtual patch" functionality that protects vulnerable systems from compromise when host-by-host patches have not been applied or do not yet exist from the vendor. Our security research team develops new Digital Vaccine® protection filters that address the latest vulnerabilities and are constantly distributed to our customers. By writing vulnerability filters for security issues that come in through the Zero Day Initiative, TippingPoint maintains a competitive edge while protecting customers and encouraging security researchers to bring findings into the public domain.

    WHY DID YOU CREATE ZERO DAY INITIATIVE?

    Our goal for the Zero Day Initiative is to provide our customers with the world's best intrusion prevention systems and secure converged networking infrastructure. In order to accomplish this, we need access to the best and most timely security intelligence available.

    Benefits of the ZDI include:

    • It ensures responsible disclosure of vulnerabilities, giving affected vendors the opportunity to issue solutions/patches to end users
    • By giving advance notice to other security vendors, their customers may receive quicker and more effective protection responses from those vendors
    • It makes the general Internet and technology community safer for computer users
    • It gives participating security researchers the positive recognition they desire
    • It gives TippingPoint the ability to provide customers with zero-day protection

    WHY SHOULD I GO TO TIPPINGPOINT WITH MY VULNERABILITY DISCOVERY?

    TippingPoint has invested considerable resources to ensure the Zero Day Initiative is successful. We believe our rewards program is the most lucrative available. Besides the obvious benefit of more compensation and higher incentives, the ZDI's approach to the acquisition of vulnerability information is different than any program to date. No technical details concerning the vulnerability are sent out publicly until the vendor has released a patch. Any protection filters written for submitted vulnerabilities that TippingPoint distributes to its customers are obscured by being described only in very general terms and are encrypted to prevent reverse engineering.

  • PROGRAM MECHANICS
  • IS THE PROGRAM FOR U.S. RESIDENTS ONLY?

    No. Individuals from most countries globally can participate in the ZDI. If there are issues with your participation due to the country in which you live, you will be advised of this during the application process and the ZDI team will make all accommodations legally permissible to allow your participation.

    WHEN AND HOW CAN I SIGN UP?

    Please visit the ZDI Secure Portal.

    HOW DO I KEEP TRACK OF ZDI REWARD POINTS AND PENDING CASES?

    Once you sign on as a new researcher in the ZDI program, you are given login credentials to the portal. On the ZDI site, you can track your current Rewards points, review the status of all pending cases, and view where your vulnerabilities are in the vendor disclosure lifecycle.

    WHAT FORMAT DOES MY VULNERABILITY REPORT NEED TO BE IN?

    Researchers can submit their vulnerabilities in any form they choose (e.g., sample exploit code, a detailed description of the vulnerability, etc.). A TippingPoint security researcher will follow up directly with the researcher if more details are needed.

    HOW MANY VULNERABILITY REPORTS CAN I SEND IN?

    There is no limit on the number of vulnerability reports.

    WHAT IF ANOTHER RESEARCHER SUBMITS THE SAME VULNERABILITY INFORMATION AS I DO?

    On occasion, we may receive information from multiple researchers regarding the same vulnerability in the same vendor product. If this occurs, the first researcher who provides information that can be verified by our ZDI team will be compensated, if they accept our offer. Subsequent researchers submitting the same vulnerability will not.

  • PAYMENT & REWARDS
  • ONCE I SUBMIT SOMETHING, HOW LONG WILL IT TAKE TO GET AN OFFER?

    On average, we respond within two weeks. Verification times vary from a few days to a few weeks depending on a number of factors such as the current queue of vulnerability submissions, the complexity of verification and the difficultly of obtaining and configuring the target environment.

    HOW DOES PAYMENT WORK?

    Our methods of payment include bank wire transfer or mailed check. Researchers can decide which method suits them best when they sign on to the ZDI portal and set their preferences.

    ONCE I ACCEPT AN OFFER, HOW LONG DOES IT TAKE TO RECEIVE PAYMENT?

    Depending on the payment method you select, it may take anywhere from two to three weeks.

    DO I HAVE TO FILE AND SEND YOU A W-9 FORM IF I AM A US TAXPAYER?

    Yes. If you are a U.S. citizen (including a resident alien) for IRS tax purposes, you must provide us a completed and signed W-9 form prior to receiving any payments from us. Click here for a blank W-9 form.

    WHAT IS A ZDI REWARD POINTS MULTIPLIER?

    A multiplier is an added incentive to frequent researchers. For example, if you have ZDI Platinum status and receive a vulnerability valuation of $5,000, then you would receive a payment of $6,000 (25% multiplier) and 10,000 reward points (100% multiplier).

  • PRIVACY
  • CAN I PARTICIPATE IN THE INCENTIVE PROGRAM WITHOUT DISCLOSING MY IDENTITY?

    No. For financial accountability and tax reporting purposes, we need to know who we're sending payments to. For ethical oversight, we need to ensure we're not dealing with known black hats or illegal groups.

    CAN I REMAIN ANONYMOUS WHEN THE VULNERABILITY IS MADE PUBLIC?

    We will keep your identity hidden from the public and/or vendor according to your wishes.

  • COMMUNICATION & TRUST
  • ONCE I AGREE TO ASSIGN A VULNERABILITY TO TIPPINGPOINT, AM I ALLOWED TO DISTRIBUTE IT, ASSIGN OR SELL IT ELSEWHERE, DISCUSS IT, OR DISCLOSE DETAILS ABOUT IT?

    No. The reason we're making such an investment in vulnerabilities is to maintain exclusivity and also to protect all end users, including non-TippingPoint customers, until a patch is available from the vendor.

    HOW WILL YOU KNOW IF I DISTRIBUTE IT, SELL IT ELSEWHERE, DISCUSS IT, OR LEAK DETAILS ABOUT IT?

    The success of the ZDI depends on mutual trust between TippingPoint and ZDI researchers. Researchers trust TippingPoint not to do anything with the vulnerability report until a mutual agreement is in place. We trust you to grant us exclusive access to this information. If researchers violate exclusivity, they will be prohibited from participating in the ZDI.

    WHEN YOU MAKE CONTACT WITH THE VENDOR, CAN YOU KEEP ME IN THE LOOP?

    Absolutely. We will let you know where things stand with all of your own current cases with regards to vendor disclosure. This information is tracked in your section of the ZDI portal.

  • OTHER
  • ARE YOU ENCOURAGING ME TO VIOLATE THE LICENSE OR OTHER TERMS APPLICABLE TO VENDORS' PRODUCTS?

    The ZDI does not encourage or promote the violation of licenses or other restrictions applicable to any vendor's product. However, we are encouraging security researchers and other individuals who become aware of vulnerabilities to participate in our program for their own financial benefit and for the benefit of the vendor, security and end user communities at large.

    SINCE TIPPINGPOINT CUSTOMERS ARE PROTECTED PRIOR TO THE DISCLOSURE, ARE THEY AWARE OF THE VULNERABILITY?

    In order to maintain the secrecy of a researcher's vulnerability discovery until a product vendor can develop a patch, TippingPoint customers are only provided a generic description of the filter provided but are not informed of the vulnerability. Once details are made public in coordination with the product vendor, TippingPoint's Digital Vaccine® service provides an updated description so that customers can identify the appropriate filters that were protecting them. In other words TippingPoint will be protected from the vulnerability in advance, but they will not be able to tell from the description what the vulnerability is.

    HOW DO YOU ENSURE THAT PRODUCT VENDORS PROMPTLY FIX THE VULNERABILITIES THAT TIPPINGPOINT REPORTS TO THEM?

    TippingPoint follows its Vulnerability Disclosure Policy when reporting security vulnerabilities to product vendors. Obviously, responsible disclosure only works well when an affected product vendor makes a concerted effort to evaluate and address the reported flaw. TippingPoint will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, TippingPoint will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. In no case will an acquired vulnerability be "kept quiet" because a product vendor does not wish to address it.