Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

ZDI Paid Out $2 Million for Vulnerabilities in 2016

Trend Micro’s Zero Day Initiative (ZDI) published 674 advisories last year and paid out nearly $2 million to researchers who submitted vulnerabilities, the company said in its “2016 Retrospective” report.

Trend Micro’s Zero Day Initiative (ZDI) published 674 advisories last year and paid out nearly $2 million to researchers who submitted vulnerabilities, the company said in its “2016 Retrospective” report.

ZDI encourages responsible disclosure through financial rewards, but the company does not resell or redistribute the vulnerabilities it acquires, and instead uses the information to protect TippingPoint customers against potential attacks even before a patch is made available.

Of the total number of advisories, 54 described vulnerabilities that had not been patched at the time of disclosure, while the rest were successfully coordinated with the affected vendor. Researchers reported many flaws last year, but almost 43 percent of them were rejected by ZDI.

The most interesting vulnerabilities reported through ZDI in 2016 affected Internet Explorer (CVE-2016-3382), Edge (CVE-2016-0158), Windows (CVE-2016-7272), OS X (CVE-2016-1806), Flash Player (CVE-2016-7857) and Chrome (CVE-2016-5161). CVE-2016-1806 was disclosed at the company’s Pwn2Own competition.

Several researchers stood out last year, including kdot (30 advisories), bee13oy (18 advisories), rgod (15 advisories) and Steven Seeley (20 advisories). These experts have tens of other advisories lined up for public release as soon as vendors address the flaws. Twelve percent of the published advisories are the work of ZDI’s own employees.

Of the 674 advisories made public last year, 149 covered vulnerabilities affecting Adobe products, representing 22 percent of the total. It’s worth noting that the November Patch Tuesday updates released by Adobe for Flash Player addressed nine flaws, all reported to the software giant via ZDI.

Surprisingly, the vendor with the second largest number of advisories, 112, is industrial automation solutions provider Advantech. Microsoft, Apple, Foxit, Oracle, Solarwinds, Trend Micro, HPE and Google also made the top 10.

Vulnerabilities reported through ZDI

“One truly interesting fact centered on the rise in advisories for Apple products, which made a significant jump this year. While only representing 4 percent of advisories in 2014 and 2015, Apple products rose to 9 percent in 2016 with 61 advisories. It will be interesting to see if this trend continues in 2017,” said ZDI’s Dustin Childs.

Advertisement. Scroll to continue reading.

Currently, there are 379 advisories pending disclosure over the next four months, which indicates that the number of advisories published in 2017 will be at least the same as the previous year.

Related Reading: Trend Micro Completes Acquisition of HP’s TippingPoint

Related Reading: No Patches for QuickTime Flaws as Apple Ends Support on Windows

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...