Getting Into Submitting: How to Maximize Your Research

September 06, 2017 | Shannon Sabens

Your success is important to us. We are here to invest in your passion for security research. We want researchers contributing to the ZDI to be successful and to receive bounties for submissions. That said, the ZDI collection of vulnerability research and exploits is a curated collection. We do not offer on all submission reports, although we do have a high acceptance rate when compared to other programs. This is thanks in part to our strong base of submitters – even with our high-quality bar. However, researchers new to the ZDI community are often unsure how to get started, and they sometimes miss the mark a bit. In this blog, we will suggest steps to increase your odds of acceptance and to potentially maximize your bounty payout from ZDI.

Getting Started

To begin, we suggest that new submitters review our Upcoming and Published pages to see what product targets and vulnerability types we are currently buying. Look at the most recent years only – you need not go back far, as older purchases do not necessarily reflect our current purchasing trends. Likewise, if you see a significant quantity of bugs in a particular product target, you may want to send us a note to ask if we are still interested. This is one area we can’t stress enough. If you have questions about what types of reports we accept, a quick email can save you time and confusion.

What we DO really want to see is bug reports in our queues featuring qualities like: server-based, enterprise, critical, RCE, mainstream, widely-implemented, ICS/SCADA, IoT, browser bugs, OS flaws, sandbox escapes, VM escapes, security products and mobile vulnerabilities.

We are not currently offering on bug reports involving: cross-site scripting (XSS), DLL planting, Denial of Service (DOS), web-based or online tools, ActiveX, post-authentication, most consumer products (widely used security products and some IoT may be the exception) and anything already publicly posted or otherwise known.

If you do not see the product target you are most interested in, please write to us at zdi@trendmicro.com to gauge our interest. Please note that we will not quote pricing in email for vulnerability reports that we have not seen and vetted. However, we will tell you if our interest in the product target and vulnerability type is strong or soft.

Also, and we cannot stress this enough, we do not accept submissions via email. Bugs reports sent through email, even if encrypted, will not be accepted. Instead, please open an account on our portal and submit through there. A proof-of-concept is required; an exploit will augment any potential offer but is not required. An exploit will not be accepted in lieu of a proof-of-concept. The more detailed the write-up, the faster we can vet the report and respond. Likewise, the more work you have done to prove exploitability, versus the work we will have to do, impacts the offer scale.  

How to Submit

Generally, please tell us:

- How did you find this vulnerability?
- Can you identify exploitability?
- Can you identify root cause?
- Please include version information and any specific configuration/hardware requirements.

Know that DETAIL is likely to improve both our response time and your payment. Also, if you provided a fuzzed file, please also include the original file whenever possible. This will better enable us to help Trend Micro product teams team to provide filtering for the vulnerability you have reported.

We suggest the following template:

1.     Vulnerability Title
        -   (e.g. Vendor Product Module Vulnerability Remote Code Execution Vulnerability)
2.     High-level overview of the vulnerability and the possible effect of using it
3.     Root Cause Analysis
        -   Detailed description of the vulnerability
        -   Code flow from input to the vulnerable condition
        -   Buffer size, injection point, etc.
        -   Suggested fixes are also welcomed
4.     Proof-of-Concept
        -   A test case to trigger the vulnerability
        -   Optional: exploit code
5.     Software Download Link
        -   For vetting purposes
6.     Optional: Detection Guidance
        -   Identify what the vulnerability looks like across the wire
        -   Pinpoint filterable conditions like protocol, ports, URI, buffer lengths,
           allowed character sets, etc.
        -   Identify alternative attack vectors

If at any point, you need or want to send additional information about your report to ZDI, please write to us at zdi@trendmicro.com. Note that any mails including details about product vulnerabilities reports MUST BE ENCRYPTED. If encryption is not used, your submission report will be rejected by default.

So, now that you have submitted, what should you expect from ZDI? Please give us a couple, or even a few weeks, to review and vet your report to us. Different product types have different internal queues, volumes, and vetting times. Please know that cases are generally taken in the order they were received within their product queue context. Mails to zdi@trendmicro.com will not improve your case priority. Queue times can vary with volume and complexity. For that, we thank you for your patience.

How much can you expect to be paid for your submission? Please expect bounty payments will vary by:

- Vendor/Product desirability/Distribution: A widely deployed product will garner more attention than a boutique or little-used product.
- Criticality/Effect of the vulnerability: A full remote code execution bug is more valuable than just a denial of service.
- Quality of the write-up: A white paper is more valuable than a brief blurb.
- Potential addition of an exploit: PoC is required, but example exploits always help.
- Availability on the market of vulnerability reports in the given product target: If everyone is reporting bugs in a certain product, the payout for that product will likely go down.

We should also note that if you reject the offer, your research continues to be your own. It’s as if you never submitted it to us. Finally, please note that to receive payment, with the first offer, researchers must provide a copy of his/her government-issued ID, and a completed W9 (for US citizens and residents) or W8 (which we will provide to non-US citizens/residents).

Know that we are always excited to grow our community and to continue to enable community-based security research. We thank you for entrusting your research to ZDI. Please do write to us at zdi@trendmicro.com if you have additional questions. We want to help you help us.

Best regards,
Shannon