Article Options
HP Networking
Discover how the new HP Networking combines the technologies and alliances of 3Com, ProCurve and TippingPoint into the next networking leader.

What is ZDI? (And why you should care.)

HPNetworking| February 9, 2011 - last edited February 10, 2011
7 Comments
0

By Jennifer Lake, Security Product Marketing Manager, HP Networking


Last week, the Zero Day Initiative (ZDI) announced details for the fifth annual Pwn2Own contest, taking place at the CanSecWest conference in Vancouver. The contest pits security researchers against today’s most commonly used computing devices and applications, to effectively demonstrate how secure (or insecure) these products are.

Contests like Pwn2Own are quite valuable to the software industry and to computer users everywhere because they demonstrate—very publicly—just how insecure computing and the Internet really are.


ZDI explained


Before getting too far into that line of thinking, I think it is important to first establish just who/what the ZDI is.

yougotpwned.pngZDI is a security research program funded HP TippingPoint and operated by HP DVLabs that is designed to reward individuals for responsibly sharing vulnerability information.  It is a network of more than 1,500 security researchers worldwide that specializes in discovering vulnerabilities or bugs in commonly used software. A majority of these researchers are hobbyists or security specialists who like to tinker around with software to make it better. Here’s a snapshot of how the process works:

  • Discovery: A researcher uncovers a bug in a piece of software (for example a document reader or a Web browser) and reports it to the ZDI.  HP DVLabs validates the vulnerability and purchases the intellectual property of that bug from the researcher. 
  • Solution development: HP DVLabs works with the affected vendor by providing details of the vulnerability, so they can issue a fix. This is typically delivered in the form of a patch.
  • Disclosure: After a patch is issued, ZDI publishes the details of the vulnerability to the public, giving full credit to the researcher for his or her contribution to the process.

It is important to note that the ZDI does not disclose details of the vulnerability to any other party, except the affected vendor. What’s more, the researcher who reports the vulnerability is held to a similar non-disclosure agreement. By keeping these details out of circulation, HP DVLabs can reduce the risk of malicious attackers using this data to create targeted exploits (i.e. bots, viruses or worms that target software vulnerabilities).


Why ZDI merits further discussion

virus picture.pngIn August, the ZDI announced changes to its disclosure policy for releasing vulnerability details in an effort to influence vendors to issue patches in a timelier manner.  The new policy gives vendors a six-month window to release their fixes, before ZDI discloses the details of the vulnerabilities—with proposed mitigations—so users can proactively protect their networks. 

This is an important change and one that the ZDI will begin enforcing this week.  We’ll use the next post  to delve further into the details of this change, as well as to discuss the importance of security research and the value this brings to the industry.

What do you think? Do you think vulnerability research is a valuable tool for the security industry?

>>Find complete Pwn2Own contest details here.

 

Tags: network security| Pwn2Own| TippingPoint| ZDI| Zero Day Initiative View All (5)
Comments
Efrain(anon) | ‎02-10-2011 08:48 PM
Options

There is a small mistake in the URL for the Pwn2Own

 

http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011http://

 

It should be http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011

 

:smileyhappy:

0
HPNetworking | ‎02-10-2011 10:28 PM
Options

Thank you @Efrain - fixed!!

0
Used Hp Computers(anon) | ‎03-02-2011 08:09 AM
Options

I read your Article I don''t agree with you!!! But one company hopes to make that market less attractive. With its newly launched Zero Day Initiative (ZDI), TippingPoint (a division of 3Com) hopes to create a legitimate market for responsibly reporting vulnerabilities by offering compensation for the information. But I'm not so sure that this is a good idea.

http://www.usedhpcomputers.com

0
Jennifer Lake(anon) | ‎03-02-2011 06:34 PM
Options

@anon - I am interested to know what specifically you disagree with, so that I can better respond to your comment.  However, I do need to clarify that the ZDI is not new.  The ZDI program was established in July 2005.  Since then it has grown to more than 1,500 researchers and is responsible for discovering more than 700 published vulnerabilities.

0
used hp computers(anon) | ‎06-06-2011 08:19 AM
Options
Indeed a very good read! Very informative post with pretty good insight on all aspects of the topic! Will keep visiting in future too!http://www.electrocomputerwarehouse.com/
0
used hp computers(anon) | ‎07-01-2011 01:40 PM
Options
I just stumbled upon your blog after reading your blog posts wanted to say thanks.i highly appreciate the blogger for doing this effort.
0
used hp computers(anon) | ‎08-06-2011 06:40 AM
Options

I just stumbled upon your blog after reading your blog posts wanted to say thanks.i highly appreciate the blogger for doing this effort. http://www.electrocomputerwarehouse.com

0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author
Follow Us