Bug bounty platform ZDI awarded $25m to researchers over the past 15 years
Bug bounty platform pioneer Zero-Day Initiative (ZDI) said it awarded more than $25 million in bounty rewards to security researchers over the past decade and a half.
In an anniversary post celebrating its 15-year-old birthday, ZDI said the bounty rewards represent payments to more than 10,000 security researchers for more than 7,500 successful bug submissions.
Most of these bugs were filed through the ZDI’s vendor-agnostic bug bounty platform, but many were also acquired through Pwn2Own, a yearly hacking contest that ZDI organizes.
A short history of ZDI
While certainly not the first bug bounty program, ZDI is the first program to have built a sustainable business model around its platform.
ZDI got off the ground in 2005 when it was set up as a special project inside 3Com, a vendor of computer and networking gear. The program operated by paying security researchers for vulnerability reports in popular software products.
At the time, this was a ground-breaking concept.
While today all the big major tech companies, and even the smaller ones, have a bug bounty program, in 2005, none of those programs were yet up and running.
In the 2000s, security researchers had to individually contact security teams at each company and report vulnerabilities, without any promise of any monetary reward.
This process was usually time-consuming, and more often than not resulted in bugs not getting fixed, security researchers skipping the bug reporting process altogether, or bug hunters receiving legal threats if they planned to go public about their findings.
But when ZDI began operating at scale, the platform finally provided a way for security researchers to (1) get paid and (2) leave the bug reporting process to ZDI and avoid getting sued.
Backed by 3Com, ZDI served as the perfect intermediary, and its parent company was also turning a profit from the program, as 3Com engineers would incorporate the bugs reports received via ZDI into TippingPoint, a security product that often provided protections for exploits months before competitors.
Over the years, ZDI expanded and grew. The program moved to HP, when Hewlett-Packard acquired 3Com, was spun into Hewlett-Packard Enterprise (HPE), and finally moved under Trend Micro’s parentage in 2015, when the security firm acquired TippingPoint from HPE.
Leading bug bounty program today
Today, the program is historically the most successful bug bounty platform ever and has been recognized as the world’s leading vulnerability research organization for the past 13 years in a row.
According to a report from Omdia published last month, ZDI was responsible for more than half of all the vulnerability disclosures in 2019, more than any other vendor or bug bounty platform.
Furthermore, ZDI has also expanded into running hacking contests, and since 2007 has been managing the renowned Pwn2Own hacking competition.
While it started with one contest per year, ZDI now runs three separate Pwn2Own contests, with one focused on business software and operating systems, a second on mobile devices and IoT, and a third dedicated to ICS/SCADA products.
Pwn2Own is today’s best-funded hacking competition, with the biggest rewards on the market, and the reason why all the major security teams and researchers attend its editions, year in, year out.
And in true ZDI fashion, all the vulnerabilities reported during the contest are reported to vendors, and researchers paid for their findings.