About | Zero Day Initiative

<!DOCTYPE html>   <html class="no-js">  <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <title>About | Zero Day Initiative</title> <meta name="description" content=""> <meta name="keywords" content=""> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"> <link rel="shortcut icon" type="image/x-icon" href="/images/favicon.png?v1"/>  <meta property="og:title" content=""/> <meta property="og:description" content=""/> <meta property="og:type" content="website"/> <meta property="og:url" content="https://zerodayinitiative.com"/> <meta property="og:image" content="https://zerodayinitiative.com/images/logo-footer.svg"/>  <meta property="twitter:card" content="summary" /> <meta property="twitter:site" content="@thezdi" /> <meta property="twitter:title" content="" /> <meta property="twitter:description" content="" /> <meta property="twitter:image" content="https://zerodayinitiative.com/images/twitter-card-img.png" /> <link href="https://fonts.googleapis.com/css?family=Titillium+Web:300,400,600,700" rel="stylesheet"> <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet"> <link rel="stylesheet" href="/css/main.css"> <script src="/js/modernizr-2.6.2-custom.js"></script> <meta name="google-site-verification" content="Fg7Cv9bbfjatWXeO3ZV5PHYiFFvOkmQ07rVzqm5zqGo" />  <script async src="https://www.googletagmanager.com/gtag/js?id=G-DBFMYZ5KK8"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-DBFMYZ5KK8'); </script> <script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r; i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date(); a=s.createElement(o),m=s.getElementsByTagName(o)[0];a.async=1;a.src=g; m.parentNode.insertBefore(a,m)})(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-93169700-1', 'auto'); ga('send', 'pageview'); </script> </head> <body class=""> <div id="nav" class="group"> <div id="navContent"> <div class="nav__container"> <div class="nav__header"> <div class="global-header__logo"> <a href="/"><img src="/images/logo.svg" alt="thezdi"/></a> </div> <div id="mobileNavIcon" class="js-mobile-nav-toggle">Menu</div> <div id="mobileOverlay"></div> </div> <nav class="nav__list" role="main-navigation"> <ul class="list-no-bullets"> <li class="nav__tier1"><a href="https://www.trendmicro.com/privacy">PRIVACY</a></li> <li class="nav__tier1"><a href="/about/">WHO WE ARE</a></li> <li class="nav__tier1"><a href="/about/benefits/">HOW IT WORKS</a></li> <li class="nav__tier1"><a href="/blog/">BLOG</a></li> <li class="nav__tier1"><a href="/advisories/">ADVISORIES</a></li> <li class="nav__tier1 userActions"> <a href="/portal/">LOG IN</a> <a href="/portal/register/">SIGN UP</a> </li><li> </li> </ul> </nav> </div> </div> </div>  <div class="off-canvas"> <nav class="off-canvas__list" role="main-navigation2"> <div class="js-mobile-nav-toggle">Menu</div> <ul class="topMenu"> <li class="nav__tier1"><a href="https://www.trendmicro.com/privacy/">PRIVACY</a></li> <li class="nav__tier1"><a href="/about/">WHO WE ARE</a></li> <li class="nav__tier1"><a href="/about/benefits/">HOW IT WORKS</a></li> <li class="nav__tier1"><a href="/blog/">BLOG</a></li> <li class="nav__tier1"><a href="/advisories/">ADVISORIES</a></li> <li class="nav__tier1"><a class="sign-in" href="/portal/">LOG IN</a></li> <li class="nav__tier1"><a class="sign-in" href="/portal/register/">SIGN UP</a></li> </ul> <ul class="bottomMenu"> <li class="nav__tier1 logo"><a href="/"><img src="/images/logo.svg" width="125" height="37" alt="thezdi"/></a></li> <li class="nav__tier1"><a href="https://www.trendmicro.com/">Trend Micro</a></li> </ul> </nav> </div>  <div id="imageMasthead" class="slim"> <div class="content"> <div class="oneCol"> <h1>About ZDI</h1> </div> </div> </div> <div class="status-bar"> <div class="content"> <div class="oneCol"> </div> </div> </div> <section class="blackBg"> <div class="section text other-template"> <div class="contentBlock"> <div data-anchor="the-zdi-mission" class="section our-mission"> <div class="contentBlock"> <h1>THE ZDI MISSION</h1> <p> The Zero Day Initiative (ZDI) was created to encourage the reporting of 0-day vulnerabilities privately to the affected vendors by financially rewarding researchers. At the time, there was a perception by some in the information security industry that those who find vulnerabilities are malicious hackers looking to do harm. Some still feel that way. While skilled, malicious attackers do exist, they remain a small minority of the total number of people who actually discover new flaws in software. </p> <p> Incorporating the global community of independent researchers also augments our internal research organizations with the additional zero-day research and exploit intelligence. This approach coalesced with the formation of the ZDI, launched on July 25, 2005. The main goals of the ZDI are to: </p> </div> <div class="contentBlock"> <div class="threeCols"> <div class="column"> <div class="box"> <div class="icon"> <img src="/images/icon_our_mission01.svg" alt=""> </div> <p>Amplify the effectiveness of our team<br/> by creating a virtual community of<br/> skilled researchers. </p> </div> </div> <div class="column"> <div class="box"> <div class="icon"> <img src="/images/icon_our_mission02.svg" alt=""> </div> <p>Encourage the responsible reporting<br/> of zero-day vulnerabilities through<br/> financial incentives. </p> </div> </div> <div class="column"> <div class="box"> <div class="icon"> <img src="/images/icon_our_mission03.svg" alt=""> </div> <p>Protect Trend Micro customers from harm<br/> until the affected vendor is able to deploy a<br/> patch. </p> </div> </div> </div> <p> Today, the ZDI represents the world鈥檚 largest vendor-agnostic bug bounty program. Our approach to the acquisition of vulnerability information is different than other programs. No technical details concerning the vulnerability are sent out publicly until the vendor has released a patch. </p> <p style="color: #f7c100;"><b>We do not resell or redistribute the vulnerabilities that are acquired through the ZDI.</b></p> <p> Submitting through the ZDI program also relieves you from the burden of tracking the bug with the vendor. We make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw, which leaves researchers free to go find other bugs. We will let you know where things stand with all of your own current cases with regards to vendor disclosure. In no cases will an acquired vulnerability be "kept quiet" because a product vendor does not wish to address it. </p> <p> Interested researchers provide us with exclusive information about previously un-patched vulnerabilities they have discovered. The ZDI then collects background information in order to validate the identity of the researcher strictly for ethical and financial oversight. Our internal researchers and analysts validate the issue in our security labs and make a monetary offer to the researcher. If the researcher accepts the offer, a payment will be promptly made. As a researcher discovers and provides additional vulnerability research, bonuses and rewards can increase through <a href="/about/benefits/">a loyalty program</a> similar to a frequent flier program. </p> <p> After an agreement has been reached for the acquisition of a researcher's bug report, protection filters for Trend Micro customers are developed and deployed. Simultaneously, the ZDI notifies the affected vendor so that they can develop a vulnerability patch. The ZDI discloses any and all acquired vulnerabilities to product vendors in accordance with our <a href="/advisories/disclosure_policy/">disclosure policy</a>. This disclosure policy ensures that both researchers and product vendors understand how ZDI handles vulnerability information. This policy further reassures researchers that in no case will any of their discoveries be "swept under the rug". It also reassures product vendors that there is a professional and standard set of guidelines they can expect to be utilized throughout the disclosure process. </p> <p> Once a patch is ready from the affected vendor, the ZDI works collaboratively with the vendor to notify the public of the vulnerability through a joint advisory that provides full credit to the originating researcher, unless the researcher chooses to remain anonymous. Before public disclosure of the vulnerability, we may choose to share technical details of the vulnerability with other security vendors so they too may prepare an appropriate security response for their customers. This practice allows us to facilitate the protection of a customer base larger than our own. </p> <p> In order to maintain the secrecy of a researcher's vulnerability discovery until a product vendor can develop a patch, Trend Micro customers are only given a generic description of the filter provided, not the vulnerability itself. Once details are made public in coordination with the product vendor, an updated description is made public so our customers can identify the appropriate filters that were protecting them. In other words, while our customers will be protected from the vulnerability in advance, they will not be able to discern the vulnerability itself. </p> </div> </div> </div> </div> </section> <div id="footer"> <div id="footerContact"> <div class="content"> <div class="footerContactBox"> <h3>General Inquiries</h3> <a href="mailto:zdi@trendmicro.com">zdi@trendmicro.com</a> </div> <div class="footerContactBox"> <h3>Find us on X</h3> <a href="https://twitter.com/thezdi">@thezdi</a> </div> <div class="footerContactBox"> <h3>Find us on Mastodon</h3> <a rel="me" href="https://infosec.exchange/@thezdi">Mastodon</a> </div> <div class="footerContactBox"> <h3>Media Inquiries</h3> <a href="mailto:media_relations@trendmicro.com">media_relations@trendmicro.com</a> </div> <div class="footerContactBox"> <h3>Sensitive Email Communications</h3> <a href="https://www.zerodayinitiative.com/documents/zdi-pgp-key.asc" target="_blank">PGP Key</a> </div> </div> </div> <div id="footerMenu"> <div id="footerMiddleSection" class="group"> <div id="footerLinks"> <div class="content"> <div class="footerLinkBox"> <a href="/about/" class="footerTitleLink">WHO WE ARE</a> <ul> <li><a href="/about/">Our Mission</a></li> <li><a href="https://www.trendmicro.com">Trend Micro</a></li> <li><a href="https://www.trendmicro.com/en_us/business/products/network/integrated-atp/next-gen-intrusion-prevention-system.html">TippingPoint IPS</a></li> </ul> </div> <div class="footerLinkBox"> <a href="/about/benefits/" class="footerTitleLink">HOW IT WORKS</a> <ul> <li><a href="/about/benefits/#process">Process</a></li> <li><a href="/about/benefits/#researcher-rewards">Researcher Rewards</a></li> <li><a href="/about/faq/">FAQS</a></li> <li><a href="https://www.trendmicro.com/privacy/">Privacy</a></li> </ul> </div> <div class="footerLinkBox"> <a href="/advisories" class="footerTitleLink">ADVISORIES</a> <ul> <li><a href="/advisories/published">Published Advisories</a></li> <li><a href="/advisories/upcoming">Upcoming Advisories</a></li> <li><a href="/rss">RSS Feeds</a></li> </ul> </div> <div class="footerLinkBox"> <a href="/blog" class="footerTitleLink">BLOG</a> </div> <div class="footerLogo"> <a href="/"><img src="/images/logo-footer.svg" alt="thezdi"/></a> </div> </div> </div> </div> </div> </div> <script>var baseURL = ""</script> <script src="/js/min/main.js"></script> </body> </html>

CINXE.COM

About | Zero Day Initiative