Zero Day Initiative

The Zero Day Initiative (ZDI) was created to encourage the reporting of 0-day vulnerabilities privately to the affected vendors by financially rewarding researchers. At the time, there was a perception by some in the information security industry that those who find vulnerabilities are malicious hackers looking to do harm. Some still feel that way. While skilled, malicious attackers do exist, they remain a small minority of the total number of people who actually discover new flaws in software. Today, as a part of Trend Micro, the ZDI represents the world’s largest vendor-agnostic bug bounty program. Our approach to the acquisition of vulnerability information is different from other programs. No technical details concerning the vulnerability are sent out publicly until the vendor has released a patch. We do not resell or redistribute the vulnerabilities that are acquired through the ZDI. Interested researchers provide us with exclusive information about previously un-patched vulnerabilities they have discovered. The ZDI then collects background information in order to validate the identity of the researcher strictly for ethical and financial oversight. Our internal researchers and analysts validate the issue in our security labs and make a monetary offer to the researcher. If the researcher accepts the offer, a payment will be promptly made. As a researcher discovers and provides additional vulnerability research, bonuses and rewards can increase through a loyalty program similar to a frequent flier program.