Submission Advice for Security Researchers

February 20, 2020 | Shannon Sabens

The ZDI would not be what it is today without the great contributions of independent security researchers like you. We have built a nice team – solid processes and strong vendor relationships – but we are most proud of the work of the security research community that comes together to contribute to our program. To the 9,000+ registered contributors to the ZDI program: You are the best part of my job and enabling your research is the thing I come to work for every single day.

First, why ZDI? I believe that we have retained this large community of researchers as a result of our consistency. If we like your work, we will vet it, offer on it and pay the award offered relatively quickly. All reports are provided to the vendor. We also report relevant details to our TippingPoint Digital Vaccine® (DV) team so that they can build protections for our Trend Micro customers. No other parties receive details for the duration of the embargo. In cases where the vendor is not a CVE Numbering Authority (CNA), ZDI can act as the CNA to ensure you receive a CVE for your research. You can be anonymous if you choose, or we can publicly credit you in the published advisory. If the product target is in its serviceable period, but the vendor does not offer an award for vulnerabilities in the target, we may still choose to do so. Then, though you accepted an award, after the embargo period, just ask us, and you are still welcome to publish your work.

That said, how can I better help you to help me to help you? In 2017, I posted a blog titled “Getting Into Submitting” with some guidelines about submissions to ZDI and how we evaluate them. Many things are the same as ever, but I hope to offer some updated guidance for new submitters. And, I hope to offer some additional context to our regular submitters. I want you to be informed about the process and I hope to make our working relationship easy!

What hasn’t changed? Well, our recent Upcoming and Published advisory pages remain the best reference for what reports we are acquiring. We are still primarily enterprise-focused and looking for these qualities: remote code execution, critical, widely deployed, browser bugs, server-based, OS flaws, sandbox escapes, VM escapes, and security product vulnerabilities.

We have an increased interest in the ICS/SCADA space. We hosted our first ever ICS-focused Pwn2Own last month. This space is a vast, wide-open, untamed terrain for the hungry bug-bounty hunter. This is a great place to grow and show your skills.

Our consumer interests include very widely used IoT devices and highly popular mobile devices. Sharpen your skills now and be ready to take on the Pwn2Own competition in the fall in Tokyo.

We do not offer on bug reports involving cross-site scripting (XSS), DLL planting, ActiveX, live website, gaming software, nor anything already publicly posted or otherwise known.

We do not offer on reports about products in beta, “preview”, “pre-release” or “extended support,” but only on those in “mainstream support.” Please know that acceptance of denial-of-service reports is rare, as are any post-authentication reports.

You can choose to submit either to ZDI, or directly to the vendor, but ZDI cannot accept reports which were already submitted to the vendor. 

Please do not post any evidence to a public cloud or website, such as YouTube or Google Docs, if you intend to submit your case to ZDI. We cannot accept reports that have already been exposed in this way, regardless of the level of sharing that was enabled on the cloud document. If you have a very large file to submit, let us know! We will be very glad to help.

When in doubt, mails to gauge our interest are always welcome – if encrypted*. We do not accept submissions via email. While we are happy to answer questions via email, you must create an account and log in to submit a bug report. Please just tell us the product and the bug type, and we will tell you if we are interested in seeing more. If you have a sizable collection of related vulnerabilities to offer us, we would welcome an email inquiry about them prior to making submissions. Note that we will not quote prices in email for reports we have not seen and vetted.

I always say that the marketplace for vulnerability and exploit reports is an economy much like any other. Award amounts can vary based on the product target prevalence, the quality of the proof-of-concept and the write-up, our business needs, and the volume of submissions in the target or target area. Again, ZDI will only quote award offer pricing after vetting. If we reject a case or if a researcher does not accept our offer, for any reason, we acquire no rights whatsoever to that report and it is simply closed.

Now as ever, we remain passionate about what you do! You impress us, you teach us, and you have helped us grow. Thank you very much for considering ZDI as a vehicle for your research. If you have further questions, please write to us at zdi@trendmicro.com. We look forward to talking more about your research.

With best wishes,
Shannon

*As a reminder, all communications should be PGP encrypted. Our PGP public key is found here. Our PGP fingerprint is 743F 60DB 46EA C4A0 1F7D B545 8088 FEDF 9A5F D228.