The program has seen an increase in its visibility and loyalty every year, there are some high-profile researchers out there who mention the program and are very supportive.
director of security researchTippingPoint
The program was responsible for getting vendors to fix a record 300 vulnerabilities in 2010, far outpacing the 100 or so vulnerabilities repaired in 2009. Dan Holden, director of security research at TippingPoint, said the program, now in its fifth year, continues to receive highly critical vulnerabilities. Holden attributes the increase in submissions to the improvements made to automated fuzzing tools and the number of new researchers surfacing in recent years.
"The program has seen an increase in its visibility and loyalty every year," Holden said. "There are some high-profile researchers out there who mention the program and are very supportive."
About half of all vulnerabilities being targeted by attackers are Web application vulnerabilities, Holden said. The Web browser and its components continue to be a favorite target. Cross-site scripting (XSS), SQL injection and PHP file includes continue to be the top targets of cybercriminals. Holden said the vulnerabilities are easy to exploit and there are many automated attack toolkits available that can target multiple classes of vulnerabilities.
"What attackers are really interested in is a sustainable business model," Holden said. "All these vulnerabilities have a window of opportunity."
Web application vulnerability attacks have become so pervasive that other software vendor bug bounty programs have been extended to reward researchers who find them. Mozilla's bug bounty program was extended in December to include flaws discovered on its websites. Google's bug bounty program was extended in November to include serious Web application flaws in YouTube, Blogger and several other websites. Both vendors pay out as much as $3,133.70 per vulnerability.
The vulnerabilities submitted by researchers via the ZDI program are similar, but given the nature of the program, TippingPoint seeks out highly critical flaws. The average Common Vulnerability Scoring System (CVSS) score for vulnerabilities submitted to the ZDI program is 9.9. The CVSS scoring system, maintained by the National Institute of Standards and Technology, gives serious vulnerabilities its highest rating of 10.0.
Apple's QuickTime is the most targeted by attackers. The ZDI program was responsible for 54 fixes in Apple software. In addition to Apple, Microsoft, Novell, Mozilla, Adobe and IBM -- software vendors with a high user base -- continue to be lucrative targets. In December, RealNetworks issued a patch that fixed 20 vulnerabilities that were submitted via the ZDI program.
Accepted submissions represent an array of memory corruption and buffer overflow vulnerabilities. TippingPoint does not disclose what it pays per vulnerability. It has a criteria to determine the severity of a vulnerability and will then establish a reward payout. Researchers can accumulate points over the course of a year to gain a bonus payout as high as $25,000, though security researchers say the program typically pays out much less for vulnerabilities. "There's a core group of researchers who have been with the program for a long time," Holden said. "Most of the vulnerabilities submitted are of high quality and they have only gotten better over time."
Holden said CanSecWest has played an important role in growing the ZDI program. Pwn2Own draws dozens of researchers to try their hands at hacking browser zero-day vulnerabilities and zero-day flaws in mobile devices. TippingPoint is currently planning the 5th annual competition with both monetary and hardware prizes valued in excess of $100,000.
Peter Vreugdenhil, an independent Dutch researcher who won $10,000 in TippingPoint's popular Pwn2Own contest at the CanSecWest Applied Security Conference in Vancouver, B.C., was hired by TippingPoint in 2010. Vreugdenhil targeted a zero-day vulnerability in Microsoft Internet Explorer to bypass Microsoft's address space layout randomization (ASLR), a security feature in Windows 7.
Holden, who along with program manager Aaron Portnoy, have overseen several changes to the program, said there are a loyal group of researchers who have been sharpening their skills, resulting in better submissions. In addition, the program continues to draw submissions from new researchers even after Mozilla and Google announced their own bug bounty programs and increased the pay out for highly critical flaws submitted directly to them.
In addition, TippingPoint made some changes to its ZDI program. The program is now forcing software vendors to comply with a six-month patching schedule to fix vulnerabilities. If software vendors fail to comply, TippingPoint will issue a limited advisory prior to a patch. Six months allows vendors to verify and fix vulnerabilities and "most importantly to [ensure] the test is indeed testing the vulnerability but also not breaking anything else," Holden said.
The program also added a Diamond status, which rewards its most active researchers. Gaining Diamond status rewards a researcher with a one time bonus of $25,000, paid travel to the DEFCON and Black Hat security conferences, and monetary and rewards points bonuses over the next year.