Looking Back at the Zero Day Initiative in 2020

As we enter 2021, now is a good time to look back at what the Zero Day Initiative has accomplished during the past year. Although it was a year filled with challenges, 2020 was the busiest year in the history of the program. We began by hosting a completely new edition of Pwn2Own. The inaugural Pwn2Own Miami saw researchers test their exploits against Industrial Control Systems (ICS) and SCADA products. As successful as that event was, it ended up being the only physical contest we held in 2020. With the spread of COVID-19, holding an event in person was no longer an option. Undaunted, we held our first virtual Pwn2Own Vancouver in March. We followed that up with Pwn2Own Tokyo (Live from Toronto) in November, where we streamed the contest live demonstrated some great exploits from researchers around the world.

In 2020, we did a little reflecting on the history of our program as we celebrated 15 years of purchasing vulnerabilities. We’ve gone from buying just a single bug in 2005 to more than 8,000 bugs over that time. Last year we moved into some new vulnerability categories as well. Historically, we do not buy bugs in hardware, but in 2020, we ended up buying 41 bugs in wireless routers. We also expanded our purchasing of local privilege escalation and denial-of-service bugs. In February, we expanded our Targeted Initiative Program (TIP) by creating special incentives for bugs impacting Trend Micro products. 

The quality of the research submitted to the program continues to amaze us. We already listed our Top 5 bugs of 2020, but those just scratch the surface of the submissions in 2020. We could not do what we do without the input and talent of our global community of independent researchers. Their work and submissions are key to our success, and we thank them for their continued trust in our program. Our program also wouldn’t work without vendors generating and releasing fixes for the vulnerabilities we report to them. The ZDI would not be able to sustain this level of advisories – and thus, better protections for Trend Micro customers – without the contributions of researchers and vendors, and we thank them for all they do.

By the Numbers

As of now, the ZDI has published 1,453 advisories for 2020 – the most ever in the history of the program. We usually see some notifications from vendors early in the new year of vulnerabilities patched late in the previous year (but where advisories were not coordinated). Because of this, the actual number of 2020 advisories may eventually increase. We’ll update this blog with the final numbers when we have them. Here’s how that number of advisories stacks up year-over-year.

Coordinated disclosure of vulnerabilities continues to be a successful venture. However, 2020 saw our largest percentage of 0-day disclosures ever with 18.6% of all our disclosures published without a fix from the vendor. The sector that has the most difficulty meeting our disclosure timelines continues to be ICS/SCADA vendors, but they were joined by enterprise software vendors like Microsoft and HPE and hardware manufacturers D-Link and NETGEAR. Still, we were able to successfully coordinate 1,138 advisory releases in 2020, which is greater than the total number of advisories released in 2019. 

Here’s a breakdown of advisories by vendor. The top vendors really should not be shocking. What is somewhat surprising is the amount of “All Others” once you get past the top 20. That’s up 5% year-over-year and shows we are acquiring vulnerabilities in a wide array of vendors and products.

We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2020, we did just that. A total of 80% of these vulnerabilities were rated Critical or High severity.

Here’s how that compares to the previous five years.

As you can see, after 2018 we made a conscious effort to ensure we were acquiring vulnerabilities that have the greatest impact to our customers. We expect this trend to continue. 

Looking Ahead

Moving into 2021, we anticipate we will remain as busy as ever. We currently have more than 500 bugs reported to vendors awaiting disclosure. That gets us a third of the way to publishing 1,500 advisories, which is not out of the question. There won’t be a Pwn2Own Miami in 2021, but we will have events in the spring and in the fall. Hopefully one or both can even be in person. Regardless, we’ll be streaming these contests moving forward, so if you ever wanted to attend Pwn2Own but couldn’t, you can now watch them online.

The ZDI vulnerability researchers will continue to be busy, as well. In 2020, roughly 20% of the advisories were cases submitted by ZDI researchers. When they aren’t reviewing submissions, ZDI researchers are usually found hunting their bugs, and they are pretty good at it. One of our big focus areas for research is in virtualization technologies. Over the past year, ZDI researchers have found 44 bugs that impact various virtualization products. This includes four remote code execution bugs in VMware ESXi discovered by ZDI Vulnerability Researcher Lucas Leong. We’ll be publishing more details about these bugs and the exploit he wrote using them once the fixes roll out.

Speaking if blogging, for the second year in a row, we published more than 60 blogs throughout the year, and we hope to keep that pace up moving forward. Expect patch blogs, exploit demonstrations, and more from the MindShaRE series. We’ve already published the first of those. This year, we’ll also be blogging more about what exploits and trends we’re detecting in the wild. In other words, 2021 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on Twitter for the latest updates from the ZDI.