HP’s Zero Day Initiative has decided to adjust its guidelines and criteria or buying some vulnerabilities in the future, eliminating some large classes of bugs from its menu.
The group, which has been among the more visible and prominent of the vulnerability purchasing programs since its inception several years ago, has decided that it will no longer pay for several kinds of bugs, including ActiveX flaws, most denial-of-service vulnerabilities and post-authentication SQL injection bugs. One exception to the ActiveX policy, however, is that the ZDI will still purchase ActiveX flaws related to SCADA systems.
ZDI was among the first of the corporate vulnerability buying programs to succeed and have a broad effect on the industry. The program has been a key sponsor of the Pwn2Own hacking contest at CanSecWest for many years, as well. ZDI still plans to buy most of the common vulnerability classes it has paid for in the past.
“As always, we are looking first at software that is most widely deployed, and especially that which is most widely deployed in the enterprise. We are looking for critical-class vulnerability reports. For examples, we are still buying browser bugs, SCADA bugs, operating-system privilege escalations, sandbox escapes, and most security-product vulnerabilities,” Shannon Sabens of HP said in a blog post.
The change in guidelines may reflect the shift in the broader research and hacking communities toward high-value targets such as SCADA systems, sandboxes and others. Attackers have been focusing their energy on browsers and sandbox escapes for years now, and increasingly are turning their attention to SCADA and industrial control systems, as well. The number of researchers who work on SCADA and related topics is tiny relative to the number who focus on Web or application security, but security advisories for ICS and SCADA products are becoming much more common.