In just one week, the Zero Day Initiative (ZDI) will be celebrating its two year anniversary. In those two years we've achieved a lot of milestones I’m proud of: a community of over 600 researchers, 27 acquired critical Microsoft 0day vulnerabilities, and over 1,000 vulnerability submissions. As part of our rewards system, we’re treating our top researchers to an all expenses paid trip to Las Vegas to attend the Black Hat and DEF CON security conferences next week. In between beers and blackjack, we’ll be brainstorming with this collective brain pool on vulnerability research tools and techniques, interesting new potential research targets, and of course the future of vulnerability markets.
We are often asked about the demographics and age of our researcher base. Our ZDI research team is predominantly male and in their 20's. Most of them currently reside in the US, UK, Germany, Brazil and India (in that order). All in all, the monthly submission rate is fairly constant with an average of 40 new vulnerability submissions per month, though some weeks spike higher then others. We’ve observed a spike in submissions from some of our researchers around the summer months, probably due to school being out. Our purchasing rate is also fairly consistent and runs at about 10% of the submissions we get in. An average of about 15 new security researchers sign up for a ZDI account each month.
Our researchers tend to stick to a specific auditing methodology. File format parsing, network protocol parsing, browser bugs, etc… In general everyone has a specialty. We don’t see much variance in targets when it comes to browser bugs, predominantly because we are only interested in Microsoft Internet Explorer and Mozilla Firefox vulnerabilities. However we do see a significant range in the targets for network protocol parsing bugs.
We thought it would be interesting to poll some of our top ZDI vulnerability researchers with permission to reprint some of the best responses anonymously. We asked the following questions and received the following answers:
Q.) Would you consider doing business with the "underground" for more money
- Yes: 10% No: 90%
Q.) If no, why not?
- "A company already offered me to buy 0days for much more money but I declined this offer because I didn't know what they really wanted to do with that and at the end I don't think it will help to improve the security of the software industry."
- "Although money wise it might be very tempting, legally and morally its not tempting at all, so No."
- "At some point everybody could be bought, I guess. But that would have to be really a lot of more money. I will not work with criminals for ten, twenty or so times the money."
- "I've thought about it, and got offers but no."
Q.) If you did not sell your research to TippingPoint, would you have reported your findings to the affected vendor?
- "I continue to report vulnerabilities direct to vendors in products which I believe ZDI would not be interested in purchasing the vulnerability information (I recently reported SQL injection and unsafe encoding method vulnerabilities in [CENSORED] - I presumed you wouldn't be interested - I hope I was right). Since I sold my first vulnerabilty to you I have continued to research the same product (Internet Explorer) and in fact all the vulnerabilities I have sold have been in IE. I personally believe if I hadn't discovered these vulnerabilities they would eventually have been discovered by someone else who may or may not have used them for less ethical purposes."
- "In some cases.... when I get the time or feel like it. I usually have many irons in the fire. A vuln that is profitable / billable usually takes precedence. Vendors don't compensate in any form in most cases so... there are no obligations or sense of urgency to toss the info over their fence.
- "If the affected product is popular and affecting desktop users, I may contact the vendor."
- "Yes whenever I get a rejection I take contact with CERT/CC and the vendor"
- "If you don’t buy, I try iDefense. If they aren’t interesting as well I will try to contact the Vendor, but some vendors are hard to contact so I still have some exploits 'on the shelf'.I'm still not sure if 'Full Disclosure' really is the best way to go, when looking at the mailing lists it seems that 60% of the so called full disclosure is mainly a way to flatter someone’s ego.I don’t believe that all software developers are evil and deserve public punishment. The main argument usually has to do with the complaint that 'they' sell flawed software, and therefore must be evil. I know from experience that its almost impossible to create perfect software, and as long as a vendor has a normal response to any security issues found (like Mozilla does) I really don’t think Full Disclosure helps the public, it only 'helps' the person who discloses it."
- "Yes. I
did that in the past and I continue do to it for some flaws. The only problem is that this process can be really bad with
- they don't care about the report;
- they don't publish security advisory;
- "I really don't like when vendors don't publish information about a security fix added in an update, and that's why I'm sure it will be done with ZDI."
- "Sure. I have reported lots to the vendor."
Q.) Are vulnerability sales your primary source of income?
- "It's a important source of my income."
- " No. In fact I'm not even hunting for vulnerability, I just find them when I have to work on a software during my job."
- "Nope, I have a full time job as a Perl developer, hence the slow rate of research :)"
- "Nope but they are a heavy supplement to my income."
- "They are one of two (I also have a (flexible) full time job)."
Q.) Do you work in the security industry? Or is this just a hobby?
- Industry %40 Hobby 60%
Q.) Please summarize your experiences with the ZDI in a couple of sentences.
- "I was starting to cooperate with ZDI from a [CENSORED] vulnerability, after that, I have submitted over 20 vulnerabilities."
- "It's really cool to work with a dedicated and talented team of researchers that can test and validate our findings. Another great thing is ZDI takes care of the vulnerability disclosure process from the vendor contact to the publishing of the advisory (and ZDI's advisories are really good) and I know it can take a long time and be boring with some vendors (should I say [CENSORED] here ?:-)."
- "Good experience so far, as mentioned before ZDI usually has a nice quick response to any research and pays on time. I like the benefits that come with the ZDI Status and am looking forward to DEFCON :)"
- "I like it as a competitor to iDEFENSE, but still pricing and speed could be improved, also there could some sort of "Workshops" for contributors to improve their knowledge and their by providing you with more findings."
- "I have had nothing but positive experiences with ZDI, I have always been satisfied, and often impressed with the speed with which my work is evaluated and the value that is given to it."
Q.) What is it about ZDI that you appreciate the most?
- "The fact that I no longer have to deal with vendors :-)"
- "I like the (usually) quick replies about research usually followed by a quick offer. And I like the fact that (for now) you have always offered the highest price for submission"
- "Besides the good payment, I appreciate the good contact and the professional verification process. Also I can be sure that the vulnerabilities get reported to the vendors immediately and that they will be disclosed responsible. Oh, and I like the bonus program ;)"
- "Currently the best paying (Whitehat organization)"
- "You are NOT iDefense."
- "In my experience, reporting vulnerabilities direct to vendors can be a tedious process. It often requires the production of numerous exampes and detailed explanations to prove to the vendor that their product is flawed. When I submit work to yourselves I know I can trust that it will be investigated fully without any further prompting. I have been consistently impressed with the technical ability and understanding shown by your research team."
The questions we posed were meant to help shed a little more light on the motivations and background of researchers who sell their vulnerability discoveries. Beyond financial incentives, overwhelmingly many of them are turned off from dealing with certain product vendors directly, often from past experiences that left a bad taste in their mouth. Others might not have the time to convert their crash dump into a fully researched vulnerability analysis in order to convince the vendors of a real problem. For now, it seems one of the more positive side-effects about pay-for-vuln programs like ours is the encouragement for researchers to part with their vulnerabilities faster by unburdening them from the disclosure process. We know from past experience how challenging and intimidating this process can be, which is why we set up an entire team at TippingPoint to handle just vendor disclosures.
We'll be circulating additional questions throughout the year to our 600+ ZDI contributors and would love to get your suggestions on what else you'd like to ask them.