ZDI, a Pioneering Vulnerability Research Program: From 3Com to Trend Micro
The story starts in August 2005, when 3Com launched a rewards program for researchers to discover and responsibly disclose zero-day vulnerabilities. Named the Zero Day Initiative (ZDI), this program offered clients the opportunity to leverage IPS filters (TippingPoint) for proactive protection. In its early days, ZDI cataloged only one vulnerability in the first year; today, that number has grown to nearly 7,500, demonstrating the significant progress made.
From Early Successes to the 2010s
During its initial years, the program quickly established itself as a benchmark in vulnerability research, particularly among major vendors like Apple and Oracle (via Java), who were highly prominent in the ecosystem at the time. In the same period, the nearly “indestructible” reputation of Macs was challenged by discoveries made by ZDI. The technical momentum also led to the creation of Pwn2Own, an event dedicated to the concrete demonstration of the strengths of a bug bounty, where researchers and ethical hackers put the most popular devices to the test.
Continuous Evolution Through Acquisitions
The acquisition of 3Com (and thus ZDI) by Hewlett-Packard (HP) did not hinder the program’s growth; on the contrary, it accelerated it. Reducing the vulnerability response time from 180 days to less than 120 days helped establish responsible disclosure as a new “standard” in the market. Microsoft and Google, in turn, followed this trend by creating their own research programs.
When Trend Micro acquired ZDI in 2015, the expertise expanded to encompass the entire portfolio of the publisher’s solutions, no longer limited to TippingPoint IPS. Now, vulnerability research covers a broader spectrum, including both software applications and hardware equipment. The special edition of Pwn2Own dedicated to SCADA environments (and more broadly ICS) illustrates how cybersecurity challenges now extend beyond just PCs or servers.