By Jennifer Lake, Security Product Marketing Manager, HP Networking
Last week, the Zero Day Initiative (ZDI) announced details for the fifth annual Pwn2Own contest, taking place at the CanSecWest conference in Vancouver. The contest pits security researchers against today’s most commonly used computing devices and applications, to effectively demonstrate how secure (or insecure) these products are.
Contests like Pwn2Own are quite valuable to the software industry and to computer users everywhere because they demonstrate—very publicly—just how insecure computing and the Internet really are.
Before getting too far into that line of thinking, I think it is important to first establish just who/what the ZDI is.
ZDI is a security research program funded HP TippingPoint and operated by HP DVLabs that is designed to reward individuals for responsibly sharing vulnerability information. It is a network of more than 1,500 security researchers worldwide that specializes in discovering vulnerabilities or bugs in commonly used software. A majority of these researchers are hobbyists or security specialists who like to tinker around with software to make it better. Here’s a snapshot of how the process works:
- Discovery: A researcher uncovers a bug in a piece of software (for example a document reader or a Web browser) and reports it to the ZDI. HP DVLabs validates the vulnerability and purchases the intellectual property of that bug from the researcher.
- Solution development: HP DVLabs works with the affected vendor by providing details of the vulnerability, so they can issue a fix. This is typically delivered in the form of a patch.
- Disclosure: After a patch is issued, ZDI publishes the details of the vulnerability to the public, giving full credit to the researcher for his or her contribution to the process.
It is important to note that the ZDI does not disclose details of the vulnerability to any other party, except the affected vendor. What’s more, the researcher who reports the vulnerability is held to a similar non-disclosure agreement. By keeping these details out of circulation, HP DVLabs can reduce the risk of malicious attackers using this data to create targeted exploits (i.e. bots, viruses or worms that target software vulnerabilities).
Why ZDI merits further discussion
In August, the ZDI announced changes to its disclosure policy for releasing vulnerability details in an effort to influence vendors to issue patches in a timelier manner. The new policy gives vendors a six-month window to release their fixes, before ZDI discloses the details of the vulnerabilities—with proposed mitigations—so users can proactively protect their networks.
This is an important change and one that the ZDI will begin enforcing this week. We’ll use the next post to delve further into the details of this change, as well as to discuss the importance of security research and the value this brings to the industry.
What do you think? Do you think vulnerability research is a valuable tool for the security industry?
>>Find complete Pwn2Own contest details here.