Zero Day Initiative

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

ZDI buys various software vulnerabilities from independent security researchers, and then discloses these vulnerabilities to their original vendors for patching before making such information public.

History
ZDI was started on July 25, 2005 by TippingPoint and was initially led by David Endler and Pedram Amini. The "zero-day" in ZDI's name refers to the first time, or Day Zero, when a vendor becomes aware of a vulnerability in a specific software. The program was launched to give cash rewards to software vulnerability researchers and hackers if they proved to find exploits in any variety of software. Due to lack of incentive and safety and confidentiality concerns, researchers and hackers are often deterred from approaching vendors when finding vulnerabilities in their software. ZDI was created as a third-party program to collect and incentivize finding such vulnerabilities, while protecting both the researchers and the sensitive information behind the vulnerabilities.

ZDI contributors have found security vulnerabilities in products such as Firefox 3, Microsoft Windows, QuickTime for Windows, and in a variety of Adobe products.

ZDI also conducts internal research for vulnerabilities and has found many in Adobe products, Microsoft products,  VMware products, and Oracle Java.

In 2016, ZDI was the top external supplier of bugs for both Microsoft and Adobe, having "purchased and disclosed 22% of publicly discovered Microsoft vulnerabilities and 28% of publicly disclosed vulnerabilities found in Adobe software."

ZDI also adjudicates the Pwn2Own hacking competition which occurs three times a year, where teams of hackers can take home cash prizes and software and hardware devices which they have successfully exploited.

Buying exploits
There has been criticism on the sale of software exploits, as well as on the entities who buy such vulnerabilities. Although the practice is legal, the ethics of the practice are always in question. Most critics are concerned about what can happen to software exploits once they are sold. Hackers and researchers who find flaws in software can sell those vulnerabilities to either government agencies, third-party companies, on the black market, or to the software vendors themselves.

The fair market value versus black market value for software exploits greatly differ (often variable by tens of thousands of dollars), as do the implications for purchasing software vulnerabilities. This combination of concerns has led to the rise of third-party programs such as ZDI and others as places to report and sell vulnerabilities for security researchers.

ZDI receives submissions for vulnerabilities such as remote code execution, elevation of privilege, and information disclosure, but "it does not purchase every type of bug, including cross-site scripting (XSS) ones that dominate many bug bounty programs."