Targeted Incentive Program: A new bug bounty program 1 Million USD

Share this…

For the last 13 years, Zero Day Initiative (ZDI) has purchased lots of bug reports for their publication. According to reports of enterprise data protection services experts, only in the first half of this year, ZDI has published 600 reports, and the number keeps increasing.

An advantage of buying so many bug reports is that researchers can orient themselves to specific areas of interest to improve the protection protocols for computer users. For example, ZDI added a virtualization category to its Pwn2Own event to see what kind of exploits might escape from a guest Operating System, and the results were extraordinary. This is one of the main reasons for the latest addition to the existing ZDI bug reward program: Targeted Icentive Program, which contributes more than $1.5M in special rewards for specific targets.

ZDI wants to increase the number of critical server vulnerabilities it receives from the information security research community. From August 1, Targeted Incentive Program (TIP) offers a special monetary reward for specific targets, but only for the first successful entry and only for a certain period of time. At the beginning of this program, ZDI started primarily with open source server-side products used by its customers and the computer community in general.

These are the initial targets, their awards and the time limit for each category:


This means that researchers and enterprise data protection services experts have until the end of September to be able to obtain $25K for a Drupal or Joomla exploit. They have until the end of October to earn $35K for a WordPress exploit, and so on for each of the other categories. The first investigator to provide a fully functional exploit and demonstrate remote code execution wins the full reward amount. Once the prize is claimed, the target will be removed from the list and a new target will be added to the list.

To be electable for rewards, the report must demonstrate that the exploit actually works, not just as a proof of concept. Reported vulnerabilities must be true zero-day vulnerabilities and must affect the central code of the selected target. ZDI will not accept entries in complementary components. A successful entry must exploit a vulnerability (or vulnerabilities) to modify the standard execution path of a program or process in order to allow arbitrary commands to run. Successful entries must thwart objective mitigations designed to ensure safe execution of the code. The objectives must be executed in the latest and updated version of the operating system available for the selected target unless otherwise noted. Any doubts the researchers in enterprise data protection services could have, may be solved via e-mail.

The first exploit to successfully compromise a target will receive the prize amount indicated for that specific target. Subsequent reports received by the program through its standard process could also be purchased by ZDI.

Once the objectives are committed or the end date of a category is reached, additional objectives will be added to the program. So far, ZDI has more than $1M in rewards reserved for future targets.

New targets can and will be added to the list based on the orientation of the ZDI team in conjunction with the Trend Micro teams. Reports submitted to the program will be handled through the standard Zero Day Iniciative Researcher Agreement and Disclosure. This also means that once notified, providers will have 120 days to launch a public security patch.

If you, as a researcher or expert in enterprise data protection services expert, are interested in participating but still have questions related to the program, you can send an email to ZDI. Questions made through Twitter, blogs, or any other media will not be recognized and/or answered.