Updates and New Targets Available in the Targeted Incentive Program

November 07, 2018 | Brian Gorenc

Back in July, we announced the Targeted Incentive Program – a special program for high-value targets. We wanted to focus on server-side vulnerabilities, and the initial target list included Joomla, Drupal, Wordpress, NGINX, Apache Web Server, and Microsoft IIS. Today, we’re announcing some of the results we’ve seen so far and updating the program with additional targets. 

So far, we haven’t received an entry that qualifies as a winner in any of the available categories. However, we have received some interesting bugs that we purchased through the regular ZDI program. Most notably, we bought a couple of fascinating bugs in Drupal that can be used together to get code execution on a target system. The caveat here is that these particular vulnerabilities only worked when an attacker uploaded three malicious “images” to the target server and tricked a site Administrator to follow a crafted link to achieve code execution. We’ll be publishing details about these bugs once they’ve been addressed by the vendor. Again, this is great research that we love to see, but it isn’t a complete exploit chain resulting in code execution, and thus not a win.

As of today, Joomla, Drupal and WordPress are no longer in TIP initiative. If you still have bugs in these products, we’ll still buy them through our standard process, which doesn’t require full exploits to get payouts. If you’re considering submitting a vulnerability in these products – or any product – check out this blog to maximize your research, and if you have any questions, you can always reach out to us at zdi@trendmicro.com.

The first of these new targets also carries a high reward. The first successful code execution chain submitted for OpenSSH will earn $200,000 USD. Other authentication methods have been in the news recently due to a trivial authentication bug that allowed administrative control of a vulnerable server through libssh. It will take a bit more than that to earn the full award in this category, but considering how much we rely on OpenSSH, any bugs will surely be significant. 

The second new target being added is ISC BIND. This has also recently been in the news due to a bug in the “deny-answer-aliases” feature that could allow a DoS to occur. Again, this vulnerability would not have been enough to win a TIP award, but it does show how critical bugs in the most common DNS server can be. If a DoS in a rarely used feature can garner headlines, imagine how impactful a code execution vulnerability could be. We’re offering $200,000 USD to someone who can imagine just that.

Finally, the last new target being added is for Windows SMB. There have been many SMB-related exploits over the years, with one of the more recent examples found in the Eternal Blue/WannaCry malware. For those wondering, SMBv1 is out of scope. Microsoft recommends disabling this outdated version, and so do we. The more recent versions are in scope, and the first winning entry will earn $200,000 USD for their efforts.

Here’s a complete list of all of the currently available targets and awards:

Target Operating System Bounty (USD) Time Frame
NGINX Ubuntu Server 18.04 x64 $200,000 August 2018 through November 2018
Apache HTTP Server Ubuntu Server 18.04 x64 $200,000 August 2018 through December 2018
Microsoft IIS Windows Server 2016 x64 $200,000 August 2018 through January 2019
OpenSSH Ubuntu Server 18.04 x64 $200,000 November 2018 through February 2019
ISC BIND Ubuntu Server 18.04 x64 $200,000 November 2018 through March 2019
Windows SMB Windows Server 2016 x64 or Windows 10 x64 $200,000 November 2018 through April 2019

That brings the total available TIP rewards to $1.2 million USD. We’ll continue to update the TIP initiative with new targets as awards are claimed and as targets time out. Be sure to stay tuned to this blog and follow us on Twitter for the latest information and updates about the program. We look forward to seeing the submissions, and best of luck to all of the program participants.