Zero Day Initiative- Microsoft OS flaws, out-of-bounds reads, ICS gear and a record number of high-severity bugs marked 2019 for the ZDI program.
Zero Day Initiative (ZDI) awarded more than $1.5 million in cash and prizes to bug-hunters throughout 2019, it said, resulting in 1,035 security vulnerability advisories for the year.
Most of those advisories (88 percent) were published in conjunction with a patch from the vendor, Zero Day Initiative (ZDI) noted – just 127 were not.
The pace of bug discovery looks to stay steady. ZDI, a division of Trend Micro, announced that already, as of the end of January, it bounty program has published 154 advisories for 2020, affecting products from Apple, Cisco, Oracle, Microsoft and others.
Notable milestones for the year included the introduction of an automotive category to Pwn2Own Vancouver, the group’s annual hacking contest. In terms of bugs themselves, “[we also] saw [Windows user account control] abused for privilege escalation, had the Samsung handset exploited via baseband for the third Pwn2Own Tokyo in a row and disclosed a significantly impactful SharePoint bug later seen in active attacks,” ZDI’s Brian Gorenc wrote, in a blog post on Thursday.
2019 Bug Bounty Trends
From a trend perspective, Gorenc said that 2019 saw a shift towards more reports for high-severity flaws – rather than medium-severity bugs making the bulk of advisories as they have in years past. In all, there were 98 critical, 583 high-severity and 167 medium-severity bugs disclosed. That compares with 262 critical, 211 high-severity and 867 medium-severity bugs disclosed the year before.
At the same time, the number of low-severity advisories increased year-over-year, totaling 191 vs. 103 in 2018.
“The increase in low-severity CVSS cases reflects our commitment to information-disclosure cases,” Gorenc explained. “On their own, they aren’t as impactful. However, when combined with other vulnerabilities, they become an essential piece of an exploit chain. As exploits often rely on info leaks for sandbox escapes and other compromises, these humble info-disclosure bugs will continue to be worth [giving bounties for].”