The Trend Micro Zero Day Initiative (ZDI) is the world's largest agnostic bug bounty program that has been around for nearly 20 years. This program was created to bring visibility into the use of vulnerabilities in attacks using zero-day exploits and help remove these bugs from the exploit market by helping vendors identify them and patch them. Over the years, ZDI has been instrumental in providing many bugs to a multitude of vendors across the computing landscape. My friend and colleague, Dustin Childs, regularly blogs about the latest updates from the program and he recently wrote about the statistics from ZDI in 2023. You can check out his blog here. In this article, I wanted to focus on the benefits that ZDI brings to the world, our industry, and customers.
- ZDI disclosed 1,913 bugs in 2023 (~10% increase from 2022) of which nearly 3 of 4 were rated Critical/High risk. The value of this is that ZDI is able to provide the world with disclosure of a lot of bugs that could be exploited in the wild if found by adversaries. Critical/High-risk bugs are good to identify as they are more likely to cause issues for these vendors and our customers. According to Qualys, the mean time to exploit high-risk vulnerabilities in 2023 stands at approximately 44 days.
- Between 7% & 8% of all vulnerabilities in 2023 were disclosed by the ZDI. Approximately 27,000 CVEs were published in 2023 versus the 1,913 bugs from ZDI. While this may be a small percentage, it does show that ZDI is effective in taking bugs off the exploit market.
- ZDI provided Microsoft with 20% of all their vulnerabilities in which they disclosed in 2023. This shows the value ZDI brings to Microsoft and anyone who utilizes Microsoft products. When we analyzed the underground exploit market we found Microsoft products made up 47% of the exploits wished for by adversaries. So almost half of bugs requested by adversaries to use as exploits are Microsoft ones. 51% of all exploits sold were for Microsoft products too. ZDI providing 20% of bugs to Microsoft means we have access to these bugs early and as such, can provide our customers early virtual patches to protect them from any exploits that may be in use until a patch is provided. In 2022, on average, ZDI provided 79 days of pre-disclosure protection for our customers.
- While Microsoft was #2 in most bugs disclosed in 2023 by ZDI, Adobe was #1, and again, ZDI provided Adobe with 78% of all the bugs submitted to them last year. This shows the value ZDI brings to key vendors like Microsoft or Adobe for securing their software. In 2022, ZDI provided, on average, 39 days of pre-disclosure protection for Adobe bugs to our customers.
- ZDI disclosed 198 zero-day bugs, which means they disclosed bugs for which the vendor, for some reason, did not choose to provide a patch. While this may sound ominous, there are reasons why this is done. The main reason is that ZDI wants to ensure the world knows these bugs exist, but also, it is an incentive to get the vendor to release a bug. In many cases, we alert the vendor of the disclosure, and they end up creating a patch for their bug.
- Nearly 50% of the bugs disclosed by ZDI came from Trend Micro internal researchers, showing our expertise is growing in the area of vulnerability research. Our vulnerability research is second to none in the world and shows we’re investing in this research area to ensure we continue to keep the world safe. Whether it is pre-disclosure support via ZDI or our internal researchers analyzing known bugs in post-disclosure research, we’re able to protect our customers from new exploits against 0-day or n-day exploits.
- The breadth of our vulnerability research is seen through the Pwn2Own events, where in 2023, we had events focusing on automotive, critical infrastructure, home automation, and business software. These events bring the best researchers from around the world to compete for money and the coveted Master of Pwn award. Many vendors attend and work with the researchers to ensure they understand the bugs so as to develop patches for each of them. Our continued support of these events highlights our support of the external researchers who attend and are instrumental in providing new bugs to the program. Last year ZDI paid out over $2M in bounties across all Pwn2Own events to the researchers.
As you can see above, the ZDI has continued to see growth over the years and continues to be a force in the world of vulnerability disclosures. Let me share some key overall benefits the program brings:
- The benefit of ZDI to the public is the ability to obtain quality bugs from researchers (both internal and external) 78% of the bugs in 2023 were rated critical or high severity.
- ZDI helps manage the disclosure process with affected vendors, keeping vendors accountable for patching their bugs and removing bugs that could potentially be used by adversaries in exploit-based attacks. The time it takes adversaries to weaponize a new bug continues to lower each year.
- The overall benefit to Trend Micro customers/partners is our focus on critical software used by them and using incentives for higher bounties on critical applications. Pre-disclosed virtual patches are made available to customers (specifically for TippingPoint and CloudOne Network Security customers) on average 70+ days before a public patch is available. This ensures any existing exploits or new ones used before the patch is applied are covered by Trend.
As you can see, the Zero Day Initiative is a hidden gem if you weren’t aware of this program and provides the world with a much-needed service. Vendors like Microsoft and Adobe applaud their efforts and thank them for their support. ZDI is also the top vendor submitting bugs to ICS-CERT, which helps our critical infrastructure, which continues to be attacked by adversaries from around the world. This program is a key component of the overall Trend research and allows us to support the world. If you want more information about ZDI, check out their website, where you can find more information about bugs they disclosed, bugs they will be disclosing, and more.