Tales from HallwayCon – Busting Myths Over Adult Beverages

March 29, 2018 | Dustin Childs

Statistically speaking, on any given day somewhere in the world, there’s an infosec conference happening. At each of these conferences, whether it’s a huge one like Black Hat and RSA or smaller events like DerbyCon, a separate yet unspoken conference happens at the same time: HallwayCon. This term covers the informal talks and conversations people have between talk tracks – sometimes even at a bar. There are those who feel HallwayCon is as important if not more important than the actual Con. It is often during these informal conversations that people feel more open to expressing their true opinion. This is especially true if that opinion may be considered unpopular or controversial. However, these opinions may not actually be grounded in fact, and HallwayCon affords the opportunity to counter some of those unpopular opinions in the casual setting of who is ordering the next round. If “in vino veritas” applies, where better to cut to the truth than a pub? At CanSecWest, I was fortunate enough to have a few of these conversations, and it struck me how many people have misconceptions about the Zero Day Initiative (ZDI) program and how we operate. Since I can’t buy the first round for everyone, let me dispel some of these notions as best as I can. Let’s start with the biggest misunderstanding I hear.

Misunderstanding: What do you mean you buy [bugs/exploits/vulnerabilities]?
The ZDI program purchases bug reports from independent researchers from around the world. They contact us and provide details about a vulnerability in software. We validate it and either decline to purchase or make an offer. If we decline, the researcher still owns all of their research and ZDI takes no further action (see below). If the researcher accepts the offer, ZDI essentially takes ownership of the intellectual property. We do two things with the bug.

To start, we report the vulnerability to the affected vendor. To help ensure they don’t ignore the bug, ZDI’s disclosure policy states that we will publish additional details about the vulnerability if action isn’t taken within a reasonable time. After a patch is available, the original researcher can talk about the bug publicly provided they seek approval of the disclosure/blog/conference presentation with us. We have yet to say no to such a request, but we do want to know it is being published.

Information about the vulnerability is also provided to our filter/signature teams, like DVLabs. They produce filters for Trend Micro products to provide protections for Trend customers before a security patch is available.

Myth: Once a bug report is sent to ZDI, we own it.
Reporting a bug to ZDI is just the first step in the process, but until the offer is accepted, we make no claims on the bug report. Some people believe we act on reports even if we don’t actually purchase the report. While it may be hard to believe, we don’t do this. Your research remains your property until a formal offer is accepted. We don’t act on it until that time. Does that mean some people shop their bugs around looking for the best deal? Probably. Do we think our way of doing things is best for building long-term relationships with independent security researchers? Yup. It can be tough, but it’s worth it.

Myth: We sell our feed/database/confidential info to others.
Nope. Maybe it’s a sign of how much people really want this information, but many seem to think this to be true, and it simply isn’t. We use bug reports to build filters to protect Trend Micro customers prior to security patches being made available. That’s it. We don’t sell it, lease it, rent it, or otherwise expose it to anyone. Not to other companies. Not to government entities. Not to organized crime. Not on the dark web. Not for cryptocurrency. Not to your best friend’s sister’s boyfriend’s brother’s girlfriend who heard from this guy who knows this kid who’s going with a girl who swears she saw it on a screen somewhere. And please don’t ask us for it – the answer is no.

Myth: You need a fully functioning exploit to get paid.
If you want to win Pwn2Own, you will need a full exploit chain. To participate in the ZDI program, you only need to be able to identify the bug. A full exploit isn’t required. Of course, the quality of your report does affect how much you can earn. How can you maximize your research? Read this blog from our program manager, Shannon Sabens! She offers you great advice on how to get the most out of the bugs you find. We truly want you to succeed, and we’ll do what we can to help.   

Myth: Pwn2Own should have a <whatever> category.
Maybe. We evaluate each Pwn2Own event and change the categories based on many factors, but there are certain categories that – so far – have been too difficult to stage. You want a Pwn2Own for ICS robots or autos? That sounds cool! But, bringing robots and cars into a small hotel conference room where exploits can be demonstrated in a controlled environment yet still retain a level of authenticity to show real-world impact turns out to be pretty hard. Same goes for other categories like hardware, IoT, SCADA, et al. Plus, what’s the customer value for hacking a robot? While definitely interesting, the impact just isn’t the same as our current targets. One reason we look at web browsers is that everyone uses web browsers. The virtualization category highlights potential security issues with cloud computing. While hacking cars and robots (or whatever) certainly has an impact, “reach” is considered when choosing targets, and the broader the better. I’m not saying these categories will never happen. I’m just saying the logistics of putting on a competition like Pwn2Own can be a bit trickier than most imagine. Maybe that will be the topic of a future blog post.

Myth: I can’t ask questions prior to submitting a bug.
We actually hope you do. You can always reach us at zdi@trendmicro.com. Our PGP key is here. You are more than welcome to reach out to us before submitting. Maybe you want to know if we’re interested in product X. Maybe you want more details on how the program works. Maybe you want clarification on a Pwn2Own category or configuration. We’re happy to answer – just send us an email.

Myth: ZDI doesn’t really do stuff outside of Pwn2Own.
Sure we do! Not to brag, but we are the largest vendor agnostic bug bounty program in the world. We publish a lot of advisories – more than 1,000 in 2017 alone. ZDI researchers speak at conferences around the world about the program and their own research. We’ve been here for more than 12 years. We can’t keep growing if we’re leaking data, abusing vendors, or taking advantage of researchers. With more than 250 advisories published this year already, we plan on continued growth and would love for you to be a part of it.

Back to the Hallway…

These are just a few of the many myths and misconceptions I hear about the program while out at conferences. I get that you may have had a bad experience in the past with a similar organization, but trust me, that’s not who we are. I enjoy the HallwayCon aspects of conferences, and I enjoy meeting people and discussing the ZDI program – even when misconceptions exist. We do get to a lot of conferences throughout the year. If you see us out and about, stop by for a chat, a sticker, and sometimes even a challenge coin. We’re actually working on “official” HallwayCon t-shirts. Just check for us in the hallway between tracks. You’ll find us talking – and myth-busting – as much as we can.

You can find me on Twitter at @Dustin_Childs, and follow the team for the latest in exploit techniques and security patches.