The bug bounty pioneer, the Zero-Day Initiative, is celebrating its 15th anniversary this year. In honor of this landmark date, ZDI specialists shared interesting statistics…
The experts said that over the past fifteen years, the Zero-Day Initiative has paid rewards to more than 10,000 cybersecurity researchers, having received over 7,500 messages from them about various errors. In total, these payments already exceed $ 25,000,000.
Most of the vulnerabilities were reported through the vendor-agnostic bug bounty platform of ZDI itself, but many of the bugs were also reported from members of Pwn2Own, the annual hacker competition organized by ZDI.
The Zero-Day Initiative was founded in 2005 and started as a dedicated project within 3Com. Then ZDI was used to financially reward researchers in order to reward them for discovering vulnerabilities in popular software. Fifteen years ago, this was a truly innovative concept, because at that time companies did not yet have their own bug bounty programs available. Because of this, researchers had to contact the security department at each individual company and report vulnerabilities without expecting any monetary reward in return. All this took a lot of time, bugs often remained uncorrected, and experts who found errors often received legal threats instead of thanks.
In fact, the Zero-Day Initiative was the first to build a working business model based on its bug bounty platform. ZDI finally allowed researchers to get paid for their work, as well as delegate the process of notifying developers of vulnerabilities to professionals, which helped to avoid lawsuits.
At the same time, the parent company of the Zero-Day Initiative, 3Com, profited from the program, as 3Com engineers regularly included vulnerability reports received in TippingPoint, a security solution that provided protection against exploits and often outpaced the competition by several months. ZDI is currently owned by Trend Micro, which acquired TippingPoint in 2015.
The Zero-Day Initiative is now the most successful bug bounty platform and has been recognized as a leading vulnerability research organization on several occasions. For example, according to a recently published company report Omdia, it was ZDI that contributed to the disclosure of more than half of all vulnerabilities in 2019, and this is much more than any other vendor or platform.