Security Research
Showing results for 
Search instead for 
Do you mean 

Four years and counting: ZDI leads Frost & Sullivan disclosure field

Angela_Gunn ‎07-15-2014 06:14 AM - edited ‎07-15-2014 06:25 AM

HP Security Research has just learned that our Zero Day Initiative (ZDI) team has received the Global Frost & Sullivan Company of the Year Award for 2013 – the fourth year in a row we’ve been honored as the pre-eminent public vulnerability research program by F&S's business analysts.  According to F&S, ZDI reported over half of all critical- or high-level vulns submitted to vendors in 2013. Four years is a record and we’re truly grateful, but as the rest of this year’s F&S report showed, it’s more than just consistent quality. It’s never that simple with security, is it?

As the report shows, the landscape continues to evolve rapidly. Sheer volume still matters, of course, and ZDI’s in-house and independent researchers certainly handle a tremendous volume of cases. Of the 426 critical- or high-severity vulns found and submitted to vendors in 2013, ZDI was responsible for 222 of them, with the rest of the industry picking up the slack with 206. In-house, our team will tell you that submissions to the ZDI have more than doubled since this time last year…and last year’s submissions doubled 2012’s.

Frost & Sullivan notes, and ZDI’s own records agree, that critical-severity vulns are more prevalent than ever. Using data from the National Vulnerability Database (NVD), Frost & Sullivan found that critical-level vulns accounted for 24.5 percent of all vulnerabilities, up from 16 percent in 2012. Buffer overflows continue to flood the landscape (you see what we did there?), with the ZDI alone capturing 70. A whopping 72 percent of all reported vulnerabilities are jailbreak-capable – as defined by Frost & Sullivan, able to deny service and modify files and allow unauthorized access – and the ZDI reported 45.3% of all of those. Clearly, better development practices have cut down on the low-hanging vulnerability “fruit,” but there’s still much to do and, as the report points out, there are more bad actors out there than ever.

Which brings us to ZDI’s not-so-secret weapon: our battalion of nearly 3,000 independent and in-house security researchers. Frost & Sullivan said highly complimentary things about how we’re “building an international research culture” and “demonstrating proof-of-concept at the root-cause level and writing succinct, verifiable exploit code.” We are and we aim to, and every one of our contributors is part of that excellence. If you’re one of our 3,000, we thank you for everything you do.

We especially appreciate you because we (and Frost & Sullivan) know it’s a strange time for the public-vulnerability disclosure culture itself. Several firms that previously ran their own disclosure-reporting programs have bowed out over the last 24 months. On the vendor side, though individual companies are still putting together their own in-house bounty programs, the economics and logistics of offering such programs are complicated.

That said, the quality of vulnerability research itself has never been more solid, nor have relations between disclosure programs and the vendors to whom we reach out. Companies understand that, as Frost & Sullivan delightfully puts it, “vulnerability testing is not an elective,” and that individuals or firms attempting to disclose a vulnerability to companies privately are by definition not the enemy. This. Is. Progress.

The Frost & Sullivan report is fascinating reading on the state of the industry. We here at HP Security Research were of course deeply gratified and pleased by what it says about the ZDI, and equally interested in the analyses of our marketplace competitors; we also laughed at some of the strange situations we get ourselves into. (Hacking our own television sets? Check. Paying large enough bounties on HP’s own products that the results appear on several charts as a line item? Absolutely, and in line with our nearly ten years of being vendor-agnostic.)

Frost & Sullivan notes that HP “routinely provides best security practices, and vulnerability research is foundational.” We’re here to lead, and over the course of the next year – ZDI’s tenth anniversary -- you’ll see some interesting new work coming from the entire HP Security Research team of which ZDI is a part. Please stand by, and we hope Frost & Sullivan – and the rest of you – keep watching us.

0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all