New Zero Day Initiative program offers $1.5m for server-side product flaws

ZDI research lead speaks to The Daily Swig about the scheme, which is offering up to $1.5 million for critical flaws

A new exploit purchase program by Zero Day Initiative (ZDI) will put server-side vulnerabilities into the spotlight, as the group offers $1.5 million in ‘special awards’.

ZDI, a research initiative formed by Trend Micro, announced a new targeted incentive program (TIP) this week, which offers additional rewards within its existing program.

The latest offerings will focus on critical class server-side vulnerabilities in systems including WordPress, Microsoft IIS, and Drupal.

Targets will be hand-picked by ZDI and will be open for hunting on August 1, but will only be available for a period of time – or until a hacker has scooped the first come, first served prize.

Brian Gorenc, director of vulnerability research at ZDI, told The Daily Swig that the idea for the program came from the group’s annual Pwn2Own championships.

“With Pwn2Own, we’re able to acquire specific types of bugs through the various categories of the contest. This is great, but the contest is only a couple of days,” Gorenc said.

“The way this program is designed allows us to look for specific types of bugs over longer periods of time.”

To claim an award, bounty hunters must enter a zero-day vulnerability which affects the core code of the target, Gorenc explained.

Each vulnerability category will only be open for submissions for a specific amount of time, and new bugs will be added to the list in the future.

The targets will disappear from the list either on the expiry date, or when the flaws have been successfully identified and proven.

Gorenc said: “We want to guide research to different targets, so having new categories keeps researchers looking at different areas.”

It is by utilising and promoting the bug bounty program that ZDI’s parent company Trend Micro is able to gain further expertise by security researchers, Gorenc noted, enabling them to better protect products – and in turn, customers.

He told The Daily Swig: “The Zero Day Initiative represents the world’s largest vendor agnostic bug bounty program. While Trend Micro maintains internal research teams, it makes sense to augment this work with additional zero-day research from a global network of independent researchers.

“The submissions provided through our bounty program extend our internal research teams by leveraging the methodologies, expertise, and time of others.”

A list of targets and corresponding payouts can be found here.