ZDI offers hefty bounties for zero-days in popular web servers, CMSes
The Trend Micro-backed Zero Day Initiative is asking bug hunters to look for zero-day RCE vulnerabilities in several open source server-side products and is ready to pay up to $200,000 for some of them.
A server-side bug bounty program
“Starting August 1st, the Targeted Incentive Program (TIP) offers a special monetary award for specific targets, but only for the first successful entry and only for a certain period of time,” ZDI’s Brian Gorenc explained.
Joomla, Drupal, WordPress, NGINX, Apache HTTP Server and Microsoft IIS are just the initial targets.
Once the prize is claimed, the target will be removed from the list and a new target will be added to the target list. The first researcher that provides a fully functioning exploit demonstrating remote code execution earns the full bounty amount.
Those that don’t manage to snag the bounty can still earn something for their effort, as their submissions may be purchased by ZDI through the standard bug reporting process.
In order to get one of the TIP bounties, the researchers have report a “true 0-day” that affects the core code of the selected target (not add-ons and plugins), provide a fully functioning exploit (not just a PoC), and bypass target’s mitigations designed to ensure the safe execution of code (e.g., DEP, ASLR, application sandboxing).
“The bugs targeted by this program represent some of the most widely used and relied upon software available. We’re looking forward to finding – and eliminating – as many as possible. As of now, we have more than $1,000,000 of bounties allocated for future targets. We don’t want to give away too much ahead of time but expect more products in the $200,000 – $250,000 range,” Gorenc noted.
“New targets can and will be added to the target list based on guidance from the ZDI team along with the other teams inside of Trend Micro. We may also add products based on what we’re seeing actively targeted or what is of special interest to Trend Micro customers.”