2010 was a record year for the DVLabs team here at TippingPoint. The Zero Day Initiative hit an all-time personal and industry record of 300 vulnerabilities fixed through the program (triple the number for 2009). Affected products and severity are our primary concerns when acquiring vulnerabilities through the ZDI and the high-profile list of vendors and CVSS scores on the ZDI published advisory page attests to that. Over the course of the year the ZDI facilitated the patching of numerous high-risk vulnerabilities in enterprise software vendors including Microsoft (29), Novell (39), Mozilla (22), Apple (54), Adobe (22), and IBM (24), to name a few. Additionally, our team has published 19 internal discoveries and has quite a few more in the upcoming queue. To handle all of these bugs the ZDI team has grown and is now the largest it has ever been. The increased headcount allows us to focus more on individual research projects and we look forward to giving conference presentations in the new year.

To thank our researchers for this successful and record-breaking year we are excited to announce a new ZDI reward status: Diamond. To achieve this status a researcher must receive 75,000 reward points over the course of one year. In addition to a 30% monetary bonus and a 125% reward point multiplier on all submissions for the next calendar year we will also award a one-time bonus of $25,000 USD and paid travel and registration to attend DEFCON and Blackhat (conference and trainings) in Las Vegas. For the details and breakdown of the ZDI benefits please visit http://www.zerodayinitiative.com/about/benefits (to be updated next week).

This increased participation in the ZDI program has inspired us to make a few changes to the way we operate. In August we announced our new disclosure policy giving vendors 6 months to patch vulnerabilities we report. This has been tremendously well received by vendors and researchers alike. Dan Holden and myself will be on a disclosure panel at the upcoming RSA conference where we will be announcing the results of this change in detail. While we weren't the first to enforce a disclosure deadline, we like to think of our policy change as a vote of confidence in the initiative of independent researchers who attempt to hold vendors responsible for introducing risk and failing to remediate it in a timely fashion when notified. Also, in an effort to maintain the loyalty we've established with our researchers, we have worked with Hewlett-Packard's finance department to establish a 5 to 10 day remittance period for all ZDI payments--a 3x improvement over the previous timeline.

There have also been some noteworthy new offerings headed up by our newly-formed DVLabs Advanced Security Intelligence team this year. In 2010 we launched our Reputation DV service to customers. This service combines data we gather from our global network of sensors along with third party vendors to deliver a dynamic list of malicious IP addresses and domain names to the TippingPoint IPS. When we launched the service in Q1 we were already tracking 1 million malicious IP and DNS entries. By the end December that number has increased to well over 2 million entries.

And for all those coworkers enjoying YouTube while you're working diligently, we've introduced the TippingPoint Application DV service, free to existing customers. AppDV greatly enhances the customers ability to detect, block, and rate limit applications running on their network.

There has also been much progress made on the ThreatLinQ portal which has processed in excess of 2 billion security events in 2010 (up from under 1 billion in 2009). Throughout 2010 we invested a lot of time and money into developing the tools which process ThreatLinQ data and we continue to utilize it to fuel our internal exploit research. We are not finished with these tools yet, but look for some very good filters and blog posts from Mike Dausin to come out of these tools in 2011.

Before wrapping this up we'd like to take this opportunity to confirm that the 5th annual Pwn2Own competition is, in fact, going to happen. You can expect cumulative monetary and hardware prizes valued in excess of $100,000 USD, similar to last year. We are currently working out the detailed rules and hope to have a pre-registration ready for applicants within a few weeks. This year most of the ZDI team will be in attendance, including our newest hire: Pwn2Own 2010 winner Peter Vreugdenhil whose bug was actually just patched by Microsoft yesterday. This year Peter will be participating as a judge.

As always, follow us here on the blog or on Twitter (aaronportnoy, thezdi, tippingpoint1) for updates from the TippingPoint DVLabs.


--
Aaron Portnoy