HOME

TheInfoList



Click Here for Items Related To - Zero Day Initiative
OR:
Zero Day Initiative on:   [Wikipedia]   [Google]   [Amazon]

Zero Day Initiative (ZDI) is an international
software vulnerability Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...
initiative that was started in 2005 by
TippingPoint TippingPoint, part of Trend Micro Security, is an American software company founded in 1999 with focus on network security products, particularly intrusion prevention systems for networks. History The company was founded in January 1999 under ...
, a division of
3Com 3Com Corporation was an American digital electronics manufacturer best known for its computer network products. The company was co-founded in 1979 by Robert Metcalfe, Howard Charney and others. Bill Krause joined as President in 1981. Metcalfe ex ...
. The program was acquired by
Trend Micro is an American-Japanese multinational cyber security software company with global headquarters in Tokyo, Japan and Irving, Texas, United State.Other regional headquarters and R&D centers are located around East Asia, Southeast Asia, Europe, and ...
as a part of the HP TippingPoint acquisition in 2015. ZDI buys various software vulnerabilities from independent security researchers, and then discloses these vulnerabilities to their original vendors for patching before making such information public.


History

ZDI was started on July 25, 2005 by TippingPoint and was initially led by David Endler and Pedram Amini. The " zero-day" in ZDI's name refers to the first time, or Day Zero, when a vendor becomes aware of a vulnerability in a specific software. The program was launched to give cash rewards to software vulnerability researchers and
hackers A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
if they proved to find exploits in any variety of software. Due to lack of incentive and safety and
confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...
concerns, researchers and hackers are often deterred from approaching vendors when finding vulnerabilities in their software. ZDI was created as a third-party program to collect and incentivize finding such vulnerabilities, while protecting both the researchers and the sensitive information behind the vulnerabilities. ZDI contributors have found security vulnerabilities in products such as
Firefox 3 Mozilla Firefox 3.0 is a version of the Firefox web browser released on June 17, 2008, by the Mozilla Corporation. Firefox 3.0 uses version 1.9 of the Gecko layout engine for displaying web pages. This version fixes many bugs, improves standard ...
,
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
,
QuickTime QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. Created in 1991, the latest Mac version, QuickTime X, is avai ...
for Windows, and in a variety of
Adobe Adobe ( ; ) is a building material made from earth and organic materials. is Spanish for ''mudbrick''. In some English-speaking regions of Spanish heritage, such as the Southwestern United States, the term is used to refer to any kind of e ...
products. ZDI also conducts internal research for vulnerabilities and has found many in Adobe products, Microsoft products,
VMware VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture. VMware's desktop software ru ...
products, and
Oracle Java Java is a set of computer software and specifications developed by James Gosling at Sun Microsystems, which was later acquired by the Oracle Corporation, that provides a system for developing application software and deploying it in a cros ...
. In 2016, ZDI was the top external supplier of bugs for both Microsoft and Adobe, having "purchased and disclosed 22% of publicly discovered Microsoft vulnerabilities and 28% of publicly disclosed vulnerabilities found in Adobe software." ZDI also adjudicates the
Pwn2Own Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. First held in April 2007 in Vancouver, the contest is now held twice a year, most recently in April 2021. Contestants are challenged to exploit widely us ...
hacking competition which occurs three times a year, where teams of hackers can take home cash prizes and software and hardware devices which they have successfully exploited.


Buying exploits

There has been criticism on the sale of software exploits, as well as on the entities who buy such vulnerabilities. Although the practice is legal, the
ethics Ethics or moral philosophy is a branch of philosophy that "involves systematizing, defending, and recommending concepts of right and wrong behavior".''Internet Encyclopedia of Philosophy'' The field of ethics, along with aesthetics, concerns m ...
of the practice are always in question. Most critics are concerned about what can happen to software exploits once they are sold. Hackers and researchers who find flaws in software can sell those vulnerabilities to either government agencies, third-party companies, on the black market, or to the software vendors themselves. The
fair market value The fair market value of property is the price at which it would change hands between a willing and informed buyer and seller. The term is used throughout the Internal Revenue Code, as well as in bankruptcy laws, in many state laws, and by sever ...
versus black market value for software exploits greatly differ (often variable by tens of thousands of dollars), as do the implications for purchasing software vulnerabilities. This combination of concerns has led to the rise of third-party programs such as ZDI and others as places to report and sell vulnerabilities for security researchers. ZDI receives submissions for vulnerabilities such as
remote code execution In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwar ...
, elevation of privilege, and information disclosure, but "it does not purchase every type of bug, including
cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...
(XSS) ones that dominate many bug bounty programs."


References


External links


Official website
{{Improve categories, date=February 2021 2005 establishments