The top 3 things you need to know about ZDI

The HP Zero Day Initiative (ZDI)—you’ve heard about it, you’ve read about it, but you want to know more. Here are the top 3 questions we get regarding ZDI.

 

 What is ZDI?

The HP Zero Day Initiative Zero Day Initiative (ZDI) was established in 2005 as a way for security researchers to zdi_logo.gifresponsibly disclose vulnerabilities in software. ZDI was among the first, most successful vendor-agnostic programs of its kind. The program accepts and responsibly discloses vulnerabilities in software used by enterprises ranging from operating systems to SCADA applications.

 

ZDI gathers information from leading security researchers and promotes the early detection of new vulnerabilities by rewarding independent researchers for their work and working closely with the impacted vendor to patch the problem. The ZDI is vendor agnostic, meaning researchers have a single point of contact for submitting vulnerabilities across all major software vendors.

 

Today, the ZDI program bridges the gap between HP Security Research (HPSR) and HP TippingPoint Digital Vaccine (DVLabs) teams by providing detection guidance that allows HP TippingPoint products to protect customers against the latest zero-day vulnerabilities before they are disclosed to the public, which is a key differentiator in the market. In some cases, we can protect customers up to 6 months before the application vendor patches their vulnerability. This close partnership has resulted in, for three consecutive years, HP being named the Company of the Year in Vulnerability Research, Global by Frost & Sullivan.

 

How does the ZDI protect customers?

Since its founding, the ZDI has disclosed more than 1300 vulnerabilities in common, every-day software; received over 5,300 zero-day vulnerabilities into the program; and has purchased over 2,000 zero-day vulnerabilities.

In 2012 alone, the ZDI program issued more than 200 security advisories to help vendors patch vulnerabilities hidden in commonly used software, including a record number of zero day advisories (20). The team continues this pace having already published 250 security advisories in 2013.

 

In enduring performance, ZDI-sourced filters continue to show up in the DVLabs’ weekly subscriptions—over 29 ZDI-sourced filters in the past year. HP’s research teams continue to share their expertise on our HP Security Research blog platform.  

 

pwn2own.pngFinally, the ZDI recently held the second annual Mobile Pwn2Own contest at the PacSec Application Security Conference in Tokyo, where the world’s best researchers shared their latest mobile vulnerabilities and exploit techniques. All filters from this contest are undergoing rigorous testing and quality assurance, and will be released in our upcoming weekly Digital Vaccine package to our TippingPoint customers!

 

How can the ZDI help me?

HP is a leading provider of original vulnerability data, which provides coverage to our TippingPoint customers up to 6 months before the application vendor patch is created and ahead of our competition. According to Frost and Sullivan, in 2012, ZDI accounted for 24.9% of publicly reported vulnerabilities, leading all commercial vulnerability reporting organizations. HP TippingPoint DVLabs uses ZDI data to protect customers from never-before-seen threats targeting zero-day vulnerabilities.

 

In 2013, ZDI has been responsible for over 50% of all Microsoft Critical vulnerabilities patched to-date. Since 2011, ZDI has been responsible for over 36% of Oracle Java's Critical vulnerabilities patched to-date. The numbers are impressive.

 

To learn more about this the HP Zero Day Initiative, visit the HP Security Research blog.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation