.

Zero Day Initiative

<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Sun Mar 07, 2010 2:51 am

Zero Day Initiative

Are you a security researcher? You want to get rewarded for the vulnerabilities discovered by you? If yes, Zero Day Initiative is for you?

ZDI is an initiative by Tipping Point for rewarding security researchers for responsible vulnerability disclosure. More information is available at

http://www.zerodayinitiative.com/

Any ZDI members here?  ???

Note: Typo edited / removed. Thanks to hayabusa for pointing it out.
Last edited by morpheus063 on Sun Mar 07, 2010 12:40 pm, edited 1 time in total.
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Mar 07, 2010 11:24 am

Re: Zero Day Initiative

Manu Zacharia (-M-) wrote:Are you a security researcher? You want to get rewarded for the vulnerabilities discovered by you? If yes, Zero Day Initiative is for you?

ZDI is an initiative by Tripping Point for rewarding security researchers for responsible vulnerability disclosure. More information is available at

http://www.zerodayinitiative.com/

Any ZDI members here?  ???


Just a note... it's Tipping Point (not Tripping Point.)  I'm not a member, yet, but have considered it, and I'm also looking at their IPS solutions (They're discussing partnering with me, for some of my clients, so I'm very interested in everything they're doing, right now...)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Mar 07, 2010 11:52 am

Re: Zero Day Initiative

To determine the worth of a vulnerability, researchers should sign up for an account and submit it for a valuation. If an offer is not made or an offer is made but not accepted by the researcher, the vulnerability information will remain the property of the researcher and will not be used in the Zero Day Initiative (ZDI) program.


That's an interesting paragraph there.  "If we don't agree on payment terms, you are free to release to your 0day back into the wild."
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Mar 07, 2010 12:43 pm

Re: Zero Day Initiative

I'm not certain I'd like that piece, myself (if I were looking at it from the standpoint of someone who regularly tries to make money on these things,) as once you've submitted it, what's to stop Tipping Point (or whomever) from doing their own research on it, releasing it themselves, or coding things into their products as an 'advance knowledge' release, to give them heads up over other protection vendors.

Note, from Tipping Point's perspective, I COMPLETELY understand it, and as a security professional, in general, I don't have a problem with it, per se.  I'm not personally in any position where I want or need to monetarily gain from finding holes in outside code.  That doesn't mean that I wouldn't accept compensation if I find a new hole during a pentest - just that I wouldn't go looking through code for the sake of doing it, to make a profit, as other companies or individuals do.  But that's just me, and if it's what you're best at, more power to you, because you are using your talents to make the world a better place, in your own way.

Note - There's a fine line, in this world, between those who profit from others' mistakes, and those who profit for the greater benefit of others...  (While this falls into both categories, it becomes, to me, 'Which perspective or side are you acting from, when you submit the 0day?')  This is one of those very gray areas (not black and white) in the security world.  If you're doing it for good reasons, and making money while you're at it, that's great!  If you view it as trying to draw attention to xyz company's code, and really make them look bad (while still making money,) then to me, you're not being ethical.  Ethical, in my world, isn't intentionally making another vendor or developer look bad, but rather, working to help them, and their customers, to be more secure and trustworthy.  So programs like this one, when utilized properly, in an effort to benefit all, are, IMHO, good ones.

I only know that, for me in general, I have better use of my own time, NOT digging through code all day looking for issues, when I can be more valuable in educating customers, coworkers, the community at large, and others in all aspects of security, not JUST code.  ;)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Mar 07, 2010 2:35 pm

Re: Zero Day Initiative

I think that the issue may go deeper though. 

You could have script kiddies that hang out in the "hacker" circles and get their hands on some 0day stuff that floats around.  They would then turn around and try to sell that 0day stuff to Tipping Point, without knowing much about it.  How does Tipping Point screen this?

Does Tipping Point have a responsibility to report the 0day stuff they don't purchase?  They can't simply wash their hands of it and pretend that it didn't exist.  Where do they draw the line?

It's a difficult business purchasing 0days, me thinks. 
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Mar 07, 2010 3:23 pm

Re: Zero Day Initiative

I fully agree, Ketchup. 

Like I said, to me, it's a very gray line, and I should've clarified, not just for the seller, but the buyer, as well.  I've never been a fan of 0day, so to speak, at least not in the way it's ever been handled.  And I don't know that there's ever going to be an easy way to 'regulate' it.  I think exchanging any money for them is just asking for trouble, unless the sole buyer was to be the vendor who wrote the code, and was willing to buy, for themselves, to remediate.  Otherwise, ultimately, there's too much room for error. 

However, there's also the devil's advocate position / opinion, that these 0day's may never come to light at all, until it's too late, if nobody is willing to buy in effort to remediate.  So it's a catch-22, regardless...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Mar 07, 2010 4:09 pm

Re: Zero Day Initiative

Yep, I agree there.  These discussions seem to come up once in a while.  We had a similar discussion when the anti-sec movement was pwning people.  I doubt that there is a good way of handling these situations, since they are morally ambiguous in nature. 
~~~~~~~~~~~~~~
Ketchup
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Mon Mar 08, 2010 4:05 am

Re: Zero Day Initiative

there's no insurance for either the buyer or seller in this matter. its like a drugsdeal (which go bad almost all the time, if we believe hollywood). both have something they want, but is it legit? how does either of the both party's know there not getting crossed? like hayabusa said, its like making a deal with the devil, hoping he's a saint. i'd like to see this initiative to work, but there has to be extream caution in getting this bulletproof.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Mon Mar 08, 2010 10:32 am

Re: Zero Day Initiative

Ketchup,

Under the terms of the ZDI initiative, I think that when Tipping Point doesn't reach an agreement on a zero day, the can (and must) wash their hands of it and pretend it doesn't exist. 

As for the screening of submissions made by script kiddies who steal the code from legitimate hackers, I don't think Tipping Point has a dog in this fight.  Don't give your zero day code to anyone you are worried might disclose it.  Disclosing someone else's zero day code might be unethical, but at the same time still serve the greater good.  At the end of the day, Tipping Point only needs to protect its clients in the most efficient manner possible.  If that involves purchasing code from less than golden individuals, so be it.

On a personal note, although I don't use Tipping Point, I've had the demo.  If management would sign off on it, I'd have bought this product last year, completely independent of the ZDI due to the extensive protocol grammar engines.  The ZDI just makes the case for the product that much stronger.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 08, 2010 10:49 am

Re: Zero Day Initiative

Exactly.  (Thus my possibly signing on as a partner.)  I've been very pleased with their devices, and have only heard and seen good reviews on them.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Mar 08, 2010 6:24 pm

Re: Zero Day Initiative

I am not sure how I would feel about myself, when I would have to wash my hands off and forget the 0day I couldn't purchase, if I was Tipping Point.  I realize that this program has the potential to increase security and get some 0days out of the wild, but still.    It's a tough choice to make, when do I say I can just can't pay you that much and you I give you back your 0day. 
~~~~~~~~~~~~~~
Ketchup
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Tue Mar 09, 2010 7:31 am

Re: Zero Day Initiative

Ketchup wrote:I am not sure how I would feel about myself, when I would have to wash my hands off and forget the 0day I couldn't purchase, if I was Tipping Point.   I realize that this program has the potential to increase security and get some 0days out of the wild, but still.    It's a tough choice to make, when do I say I can just can't pay you that much and you I give you back your 0day.   


in theory this goes completely against the purpose (mission and vision) of the company, making the whole idea ridiculous.
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

Return to Links to cool sites.

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software