Announcing the Targeted Incentive Program: A Special Award for Special Targets

July 24, 2018 | Brian Gorenc

Over the course of the last 13 years of the ZDI program, we’ve bought a lot of bug reports – a lot of bug reports. Just in the first half of this year, we published 600 advisories, and that number continues to grow. One advantage of purchasing this many bug reports is that we can guide researchers towards specific areas that either interest us or enhance protections for our customers. For example, we added a virtualization category to our Pwn2Own event to see what sort of exploits could escape a guest OS, and the results were fascinating. That’s one of the main drivers behind the newest addition to our existing bug bounty – the Targeted Incentive Program – which brings over $1,500,000 USD in special bounty awards for specific targets.

We want to increase the number of critical class, server-side vulnerabilities the ZDI receives from the researcher community. Starting August 1st, the Targeted Incentive Program (TIP) offers a special monetary award for specific targets, but only for the first successful entry and only for a certain period of time. To begin this program, we’re starting with primarily open source server-side products used by our customers and the general computing community.

Here are the initial targets, their awards, and time frame for each category:

   Target    Operating System Bounty (USD)    Time Frame
Joomla Ubuntu Server 18.04 x64 $25,000 August 2018 through September 2018
Drupal Ubuntu Server 18.04 x64 $25,000 August 2018 through September 2018
WordPress Ubuntu Server 18.04 x64 $35,000 August 2018 through October 2018
NGINX Ubuntu Server 18.04 x64 $200,000 August 2018 through November 2018
Apache HTTP Server Ubuntu Server 18.04 x64 $200,000 August 2018 through December 2018
Microsoft IIS Windows Server 2016 x64 $200,000 August 2018 through January 2019

This means that researchers have until the end of September to get $25,000 for a Drupal or Joomla exploit. They have until the end of October to earn $35,000 for a WordPress exploit, and so on for each of the other categories. The first researcher that provides a fully functioning exploit demonstrating remote code execution earns the full bounty amount. Once the prize is claimed, the target will be removed from the list and a new target will be added to the target list.

Similar to Pwn2Own, successful entries need to be fully functioning exploits – not just proofs of concept. The vulnerabilities are required to be true 0-days and should affect the core code of the selected target. Entries in add-on components or plug-ins will not be accepted. A successful entry must leverage a vulnerability (or vulnerabilities) to modify the standard execution path of a program or process in order to allow the execution of arbitrary instructions. Successful entries must defeat the target's mitigations designed to ensure the safe execution of code, such as, but not limited to, Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and/or application sandboxing. The targets will be running on the latest, fully patched version of the operating system available for the selected target unless otherwise stated. Any questions about specific configurations will be answered via email.

The first exploit to successfully compromise a target will be awarded the prize amount indicated for that specific target. Subsequent submissions may still be purchased by the program through the standard bug reporting process.

Once targets are compromised or the end date for a category occurs, additional targets will be added to the program. As of now, we have more than $1,000,000 of bounties allocated for future targets. We don’t want to give away too much ahead of time but expect more products in the $200,000 - $250,000 range.

New targets can and will be added to the target list based on guidance from the ZDI team along with the other teams inside of Trend Micro. We may also add products based on what we’re seeing actively targeted or what is of special interest to Trend Micro customers. Submissions to the program will be handled via the standard Zero Day Initiative Researcher Agreement and Disclosure Policy.  This also means that once notified, vendors will have the standard 120 days to release a security patch to the public.

If you are thinking about participating but have a specific configuration or other program-related questions, email us. Questions asked via Twitter, blog post or other means will not be acknowledged or answered.

We will be blogging results and new categories here as the TIP continues. It’s our hope to provide a detailed analysis of the winning bugs as they are patched, so definitely stay tuned for details and demonstrations. Until then, there’s $685,000 currently available to those who can find and exploit these bugs within their time frames, and more on the way. 

The bugs targeted by this program represent some of the most widely used and relied upon software available. We’re looking forward to finding – and eliminating – as many as possible. Be sure to stay tuned to this blog and follow us on Twitter for the latest information and updates about the program. We look forward to seeing the submissions, and best of luck to all researchers submitting.