Trend Micro’s Zero Day Initiative (ZDI) has expanded its bug bounty program to include a new $1.5m pot for researchers able to discover new vulnerabilities in server-side open source products like Drupal, Apache and WordPress.
The new addition to ZDI’s Targeted Incentive Program (TIP) will aim to ramp up the number of critical exploits found in some of these popular tools, with special rewards on offer for the first few months.
From August 1 to the end of September this year, ZDI will be offering $25,000 for vulnerabilities in Joomla and Drupal running on Ubuntu Server 18.04 x86. WordPress flaws will get $35,000 until the end of September, while NGINX and Apache HTTP Server bugs receive a massive $200,000 until the end of November and December respectively.
Vulnerabilities in Microsoft IIS running on Windows Server 2016 x64 also get $200,000, until January next year.
Only fully functioning exploits demonstrating remote code execution earn the full bounty amount; that means proof-of-concepts won’t cut it. These need to be true zero-days affecting the core code, not add-on components or plug-ins, said the ZDI.
Researchers must be able to find exploits that work despite the software running on fully patched versions of the relevant OS and which circumvent mitigations such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and application sandboxing.
Trend Micro director of vulnerability research, Brian Gorenc, revealed that the ZDI has published 600 advisories already this year thanks to schemes like this.
“One advantage of purchasing this many bug reports is that we can guide researchers towards specific areas that either interest us or enhance protections for our customers,” he added. “For example, we added a virtualization category to our Pwn2Own event to see what sort of exploits could escape a guest OS, and the results were fascinating. That’s one of the main drivers behind the newest addition to our existing bug bounty.”
The expansion of the bug bounty scheme is well-timed, given the continued problems facing users of popular open source products.
However, security is a two-way street and users will only be protected if they make a concerted effort to update to the latest software version. Last year hackers managed to deface over one million WordPress sites that weren’t patched, while the Ukrainian energy ministry was hit by ransomware targeting an unpatched Drupal installation earlier this year.