Trend Micro has been overseeing the Zero Day Initiative, the world’s largest vendor-agnostic bug bounty program, since 2016. Paying cash for new bugs, including exploits in enterprise software, Trend’s aim is to protect its customers from the latest cyber threats. The more than 3,500 participants in the program are finding vulnerabilities in technologies made by major technology players.
The initiative holds by a 120-day disclosure policy. They give vendors 120 days to remediate a newly discovered vulnerability and get a security patch out. After that, Trend will disclose the vulnerability to the public. “We set up the disclosure policy so vendors wouldn’t dismiss us too easily,” said Dustin C. Childs, CISSP, Communications Manager for the Zero Day Initiative at Trend Micro. “It’s a touchy subject, but honestly, it’s in everyone’s best interest to work with the process.” He continued, saying, “Our value in our ability to protect against the impact of a rushed vulnerability patch, like patch on Tuesday and get attacked on Wednesday.”
2017 was the busiest year to date, with 1,007 disclosures. However, in the first seven months of this year, there have already been 880. “Is this good or bad? I don’t know,” Childs said. “It’s worrisome that the threat environment is growing so much, but at the same time, it’s good that we’re catching more of them.” The initiative also offers what Childs calls “Frequent flier” bonuses for active submitters.
According to Childs, Trend Micro is expanding the scope of the bug bounty now to include devices and middleware. “We’re moving beyond the OS,” he noted. “Attackers are looking for fresh vulnerabilities everywhere.” He added, however, that they’re avoiding IoT for now, given its massive scale, explaining, “We’d go broke with IoT.”
One advantage of the Trend Micro approach is they can drive vulnerability research where they want it to go. For example, if they wanted to see if virtualization products suffered from vulnerabilities, they could create a cash incentive to find bugs in that category. Right now, they are interested in finding bugs in platforms like Drupal, WordPress, Apache and Microsoft IIS. For a limited time, they are even offering a special $25,000 reward for vulnerabilities in Joomla. (Gentlemen (and ladies)… start your engines!)
Their work puts them at odds, at least in theory, with the national security establishment. It is a poorly kept secret that agencies like the NSA like to keep bugs private so they an exploit in the infrastructure of our adversaries. Per Childs, they have never been contacted by the NSA, but they believe they have accidentally disrupted at least one NSA operation.
The best bugs, though, in Childs’ view, are the ones that never get shopped in the first place. “You have to red team yourself,” he said. “Work a secure development lifecycle – an SDL – including in post release.”
He also recommended that vendors invest in infrastructure and process to manage the bug remediation process. “It’s critical that you be able to service your product, from a security perspective, after you ship.”