Lessons from 15 years of bug bounties


It is increasingly hard to remember a time when bug bounty programs, let alone disclosure programs, weren't so universally accepted. These days, you'll find bounties for everything from branches of the military to your toaster.

Trend Micro's Zero Day Initiative, the largest vendor-agnostic bug bounty program in the world, was battle-hardened more than a decade before you could hack the Pentagon. They have purchased and disclosed vulnerabilities found by freelance hackers in everything from Windows to industrial control equipment. It’s one-part public service to help disclose vulnerabilities to manufacturers, one-part research service for defenders trying to get a head start on security gaps they will need to defend.  

The Initiative celebrated 15 years this week. It has disclosed more than 7,500 vulnerabilities in its time, paying out more than $20 million. Its Pwn2Own competitions have become massive events.  

SC Media talked with the Zero Day Initiative Director Brian Gorenc about how the project came to be, what the last 15 years have taught him about disclosure, and that time he inadvertently rendered NSA spy tools useless.  

There’s a long, complicated history to bug bounty and disclosure programs. For a time, many industries were really hostile to researchers trying disclose vulnerabilities. Has that changed while ZDI has been around? Is this all normal now?  

More common in the early days was companies not understanding what was happening when we disclosed vulnerabilities, when we did disclosures before Bugcrowd and HackerOne existed.  The bug bounty service companies are very, very common now and people understand this topic.   

But being a vendor-agnostic bounty program can still be confusing. We run contests designed to mimic the vulnerability grey market. Pwn2Own supplies six-figure bounties for exploits against Google Chrome, virtualization technologies and Tesla. It's hard for some people to understand the business value around offering a bounty like that, especially when we're going to get the bugs patched immediately.  If we’re in Asia, people ask us if we’re buying vulnerabilities for the American government. If we’re in the EU, they ask us if we’re from Russia. 

The program actually began as a way to kind of expand our research capabilities within our company, the idea being that we could only hire so many vulnerability researchers. We figured we could go out to the research community and try to crowdsource some of that intelligence information, to expand what we were able to cover and what types of protections we provide our customers. 

I hear one of the problems disclosure programs run into is not being prepared to handle all the vulnerabilities that get sent in – that you need to have personnel in place to handle a flood of patching.

We saw that up close. When we moved to Trend Micro after the acquisition of the Tipping Point IPS [which ZDI was a part of], that was the first thing I said to the executives. I was like, 'you now own the world's largest vendor-agnostic bug bounty program and that means the hackers who submit to it see a target on Trend Micro's software and researchers are going to look for vulnerabilities.' And to Trend Micro's credit, they handled that really really well. When we came in [Trend Micro] purchased a hundred different bugs in Trend Micro products within the first year. 

Are there any ZDI disclosures that particularly stand out? 

The one I find most interesting was in 2015, when we received a vulnerability that was supposedly a bypass for the .lnk vulnerability used in Stuxnet. The vulnerability used in Stuxnet  was one of the most popular vulnerabilities out there. It was looked at by everybody. But after that initial patch came out we received the bypass, which was unbelievable – the entire industry had been looking at this patch and nobody has noticed this bypass until [someone] submitted a full white paper with a full exploit. Microsoft patched it quickly and we didn't think much of it.  

But then, two years later, the Vault 7 leaks [guidebooks for CIA hacking tools] came out. We learned that the bypass for the Stuxnet bug was actually being used by the agencies in a tool they called EZCHEESE and when the vulnerability was patched that they actually had to go develop a different tool.

As disclosure programs have become more common, what mistakes do companies make trying to implement them?  

We'll see a lot of companies that just won't respond at all. They'll advertise that they are accepting vulnerability disclosures through their security apps or some sort of thing, but they're actually not monitoring it.  

Eventually, we’ll release the zero-day advisory and when it reaches the press, the vendor will reach out to us through various different mechanisms. We've had the chief marketing officer of a company reach out to us and ask what's going on. We've had low-level engineers reach out to us to figure out what's going on. But the actual response mechanism had failed.  

Good communication is extremely important. One of the most valuable things is building a relationship with the researchers who are looking for security vulnerabilities. They really, really know technology, so they can give you a lot of help and guidance on security. 

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.