Four years and counting: ZDI leads Frost & Sullivan disclosure field

12672098_s.jpgHP Security Research has just learned that our Zero Day Initiative (ZDI) team has received the Global Frost & Sullivan Company of the Year Award for 2013 – the fourth year in a row we’ve been honored as the pre-eminent public vulnerability research program by F&S's business analysts.  According to F&S, ZDI reported over half of all critical- or high-level vulns submitted to vendors in 2013. Four years is a record and we’re truly grateful, but as the rest of this year’s F&S report showed, it’s more than just consistent quality. It’s never that simple with security, is it?

As the report shows, the landscape continues to evolve rapidly. Sheer volume still matters, of course, and ZDI’s in-house and independent researchers certainly handle a tremendous volume of cases. Of the 426 critical- or high-severity vulns found and submitted to vendors in 2013, ZDI was responsible for 222 of them, with the rest of the industry picking up the slack with 206. In-house, our team will tell you that submissions to the ZDI have more than doubled since this time last year…and last year’s submissions doubled 2012’s.

Frost & Sullivan notes, and ZDI’s own records agree, that critical-severity vulns are more prevalent than ever. Using data from the National Vulnerability Database (NVD), Frost & Sullivan found that critical-level vulns accounted for 24.5 percent of all vulnerabilities, up from 16 percent in 2012. Buffer overflows continue to flood the landscape (you see what we did there?), with the ZDI alone capturing 70. A whopping 72 percent of all reported vulnerabilities are jailbreak-capable – as defined by Frost & Sullivan, able to deny service and modify files and allow unauthorized access – and the ZDI reported 45.3% of all of those. Clearly, better development practices have cut down on the low-hanging vulnerability “fruit,” but there’s still much to do and, as the report points out, there are more bad actors out there than ever.

Which brings us to ZDI’s not-so-secret weapon: our battalion of nearly 3,000 independent and in-house security researchers. Frost & Sullivan said highly complimentary things about how we’re “building an international research culture” and “demonstrating proof-of-concept at the root-cause level and writing succinct, verifiable exploit code.” We are and we aim to, and every one of our contributors is part of that excellence. If you’re one of our 3,000, we thank you for everything you do.

We especially appreciate you because we (and Frost & Sullivan) know it’s a strange time for the public-vulnerability disclosure culture itself. Several firms that previously ran their own disclosure-reporting programs have bowed out over the last 24 months. On the vendor side, though individual companies are still putting together their own in-house bounty programs, the economics and logistics of offering such programs are complicated.

That said, the quality of vulnerability research itself has never been more solid, nor have relations between disclosure programs and the vendors to whom we reach out. Companies understand that, as Frost & Sullivan delightfully puts it, “vulnerability testing is not an elective,” and that individuals or firms attempting to disclose a vulnerability to companies privately are by definition not the enemy. This. Is. Progress.

The Frost & Sullivan report is fascinating reading on the state of the industry. We here at HP Security Research were of course deeply gratified and pleased by what it says about the ZDI, and equally interested in the analyses of our marketplace competitors; we also laughed at some of the strange situations we get ourselves into. (Hacking our own television sets? Check. Paying large enough bounties on HP’s own products that the results appear on several charts as a line item? Absolutely, and in line with our nearly ten years of being vendor-agnostic.)

Frost & Sullivan notes that HP “routinely provides best security practices, and vulnerability research is foundational.” We’re here to lead, and over the course of the next year – ZDI’s tenth anniversary -- you’ll see some interesting new work coming from the entire HP Security Research team of which ZDI is a part. Please stand by, and we hope Frost & Sullivan – and the rest of you – keep watching us.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.