Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

ZDI Paid Out $2 Million for Vulnerabilities in 2016

Trend Micro’s Zero Day Initiative (ZDI) published 674 advisories last year and paid out nearly $2 million to researchers who submitted vulnerabilities, the company said in its “2016 Retrospective” report.

Trend Micro’s Zero Day Initiative (ZDI) published 674 advisories last year and paid out nearly $2 million to researchers who submitted vulnerabilities, the company said in its “2016 Retrospective” report.

ZDI encourages responsible disclosure through financial rewards, but the company does not resell or redistribute the vulnerabilities it acquires, and instead uses the information to protect TippingPoint customers against potential attacks even before a patch is made available.

Of the total number of advisories, 54 described vulnerabilities that had not been patched at the time of disclosure, while the rest were successfully coordinated with the affected vendor. Researchers reported many flaws last year, but almost 43 percent of them were rejected by ZDI.

The most interesting vulnerabilities reported through ZDI in 2016 affected Internet Explorer (CVE-2016-3382), Edge (CVE-2016-0158), Windows (CVE-2016-7272), OS X (CVE-2016-1806), Flash Player (CVE-2016-7857) and Chrome (CVE-2016-5161). CVE-2016-1806 was disclosed at the company’s Pwn2Own competition.

Several researchers stood out last year, including kdot (30 advisories), bee13oy (18 advisories), rgod (15 advisories) and Steven Seeley (20 advisories). These experts have tens of other advisories lined up for public release as soon as vendors address the flaws. Twelve percent of the published advisories are the work of ZDI’s own employees.

Of the 674 advisories made public last year, 149 covered vulnerabilities affecting Adobe products, representing 22 percent of the total. It’s worth noting that the November Patch Tuesday updates released by Adobe for Flash Player addressed nine flaws, all reported to the software giant via ZDI.

Surprisingly, the vendor with the second largest number of advisories, 112, is industrial automation solutions provider Advantech. Microsoft, Apple, Foxit, Oracle, Solarwinds, Trend Micro, HPE and Google also made the top 10.

Vulnerabilities reported through ZDI

“One truly interesting fact centered on the rise in advisories for Apple products, which made a significant jump this year. While only representing 4 percent of advisories in 2014 and 2015, Apple products rose to 9 percent in 2016 with 61 advisories. It will be interesting to see if this trend continues in 2017,” said ZDI’s Dustin Childs.

Currently, there are 379 advisories pending disclosure over the next four months, which indicates that the number of advisories published in 2017 will be at least the same as the previous year.

Related Reading: Trend Micro Completes Acquisition of HP’s TippingPoint

Related Reading: No Patches for QuickTime Flaws as Apple Ends Support on Windows

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.