Latest news with #ZDI
Techday NZ
5 days ago
- Business
- Techday NZ
Trend Micro's Zero Day Initiative marks two decades of impact
Trend Micro's Zero Day Initiative (ZDI) is marking its twentieth year of reporting and coordinating disclosures of software vulnerabilities across the digital landscape. The ZDI claims the position as the world's largest vendor-agnostic bug bounty programme, having helped to identify and disclose thousands of software security flaws since its founding in 2005. According to data referenced by the company, the ZDI contributed to the responsible disclosure of 73 per cent of all reported vulnerabilities in 2024, exceeding the total from all other participating vendors combined. The bug bounty programme incentivises security researchers globally to uncover zero-day vulnerabilities in widely used products and to submit them in exchange for financial rewards. By working with vendors ahead of public disclosure, the ZDI aims to close security gaps before malicious actors can exploit them. One of the notable features for Trend customers is early access to virtual patches for zero-day threats. These interim security fixes are distributed, on average, over two months in advance of the release of official vendor updates. This provides an extended window of protection as vendors work to develop and test their formal patches. "Our top priority is empowering our customers to take a proactive approach to cybersecurity. The Zero Day Initiative is one of the best tools we have to stay ahead of cybercriminals, and it's one of a kind. Nobody else in the industry can protect their customers as far in advance as we do." This was stated by Mick McCluney, ANZ Field CTO at Trend Micro, who emphasised the significance of proactive approaches enabled by the ZDI's work. The initiative's history began in 2005 when it was established by TippingPoint, then a division of 3Com. Initially, it focussed on bringing together the security research community, providing a framework for researchers to report zero-day bugs responsibly by offering financial incentives. Two years later, the Pwn2Own competition was launched, challenging teams of researchers to discover vulnerabilities in specific software and operating system categories against the clock. Trend Micro took over the ZDI in 2016 following its acquisition of TippingPoint. Today, the programme comprises more than 450 dedicated researchers across 14 global threat centres, supported by a broader community of over 19,000 vulnerability researchers. The ZDI has played a role in several major security events over the past two decades. For example, its researchers uncovered issues with a patch intended to fix a LNK file vulnerability exploited by the Stuxnet worm, prompting Microsoft to develop a subsequent patch. Similarly, collaborative research with Microsoft led to the award of USD $125,000 to original ZDI researchers for identifying a method to bypass Internet Explorer's defences; this sum was subsequently donated to charity, and the technique went on to earn a patent. Other notable research successes include the identification of two zero-day vulnerabilities in Apple's QuickTime for Windows product, which resulted in Apple discontinuing support for the software and ZDI advising users to uninstall it. The ZDI's investigative output has also contributed to disrupting covert operation campaigns such as Black Energy APT, which has targeted Ukraine on multiple occasions. In 2023, a researcher associated with the ZDI was recognised with a Pwnie award for "most under-hyped research" after discovering a previously unreported exploit technique called activation context cache poisoning. The ZDI's operations not only benefit Trend Micro's client base but also contribute to improved security outcomes more broadly, by ensuring that vulnerabilities in widely used products are fixed before hostile actors can take advantage. The bug bounty scheme is credited with encouraging vendors to implement more robust security practices and to address security flaws ahead of public exploitation. As one of the larger vendor-neutral vulnerability research communities, ZDI continues to rely on its global network of researchers, ethical hacking competitions such as Pwn2Own, and partnerships with vendors, to fulfil its remit of identifying and coordinating the remediation of critical security flaws.
Yahoo
28-01-2025
- Automotive
- Yahoo
VicOne and Trend Micro Stage Pwn2Own Automotive Zero Day Vulnerability Event to Boost Industry Cybersecurity as SDV Trend Reshapes Threat
With automotive system complexity and attack surface both rapidly growing, VicOne set to release new report detailing sharp rise in vulnerabilities and industry recommendations DETROIT & TOKYO, January 28, 2025--(BUSINESS WIRE)--VicOne, an automotive cybersecurity solutions leader, today announced that it co-hosted with Trend Micro the world's largest zero-day vulnerability discovery contest, Pwn2Own Automotive 2025, at Automotive World, which took place Jan. 22-24 in Tokyo. Top-tier security researchers performed real-world testing on cutting-edge automotive technologies, all within Trend Micro's proven Zero Day Initiative (ZDI) platform, the world's largest vendor-agnostic bug bounty program. Pwn2Own Automotive is an annual competition designed to uncover and rectify vulnerabilities in technologies for connected cars. Automotive cybersecurity researchers from 13 countries came together on a global stage to discover 49 unique zero-day vulnerabilities across systems such as in-vehicle infotainment (IVI) systems and electric vehicle (EV) chargers. Sina Kheirkhah of Summoning Team was crowned the Pwn2Own Automotive 2025 Master of Pwn. "As SDVs (software-defined vehicles) reshape the automotive industry, cybersecurity becomes critical to ensuring their safety and reliability," said Max Cheng, chief executive officer of VicOne. "Platforms like Pwn2Own Automotive are instrumental to uncovering zero-day vulnerabilities and mitigating risks before they can escalate. By supporting initiatives like this, the industry can proactively strengthen vehicle security, paving the way for safer and more resilient advancements in mobility." The automotive industry is evolving with innovations such as SDVs, advanced driver-assistance systems (ADAS) and integration of artificial intelligence (AI). These developments promise enhanced functionality and efficiency but also introduce cybersecurity challenges, including risks from generative AI, supply-chain vulnerabilities and over-the-air (OTA) updates. According to the forthcoming VicOne 2025 annual report, the total count of automotive-related vulnerabilities ("CVEs") published in 2024 reached 530 vulnerabilities, another annual gain and just two short of twice as many as in 2019. The sharp rise in vulnerabilities highlights the rapid growth in both the automotive attack surface and automotive systems. Cyberattacks in 2024 caused damages exceeding $22 billion, with $20 billion attributed to data breaches and personal information leaks, the VicOne annual report will show. Key areas impacted in 2024 included the automobile industry's suppliers and dealers, who collectively account for the majority of targeted attacks. Other insights in the report, which is to be released publicly available at The automotive industry must adopt a security-first approach, integrating robust defenses, regulatory compliance and collaborative innovations to mitigate risks and secure the future of mobility. Supply-chain vulnerabilities will likely dominate cybersecurity events moving forward, with an increase in ransomware and OTA exploitations. Emerging threats include AI manipulation, cloud-based attacks and sensor data manipulation in autonomous systems. At Automotive World 2025, the world's leading event for advanced automotive technologies convening more than 1,800 companies, VicOne showcased a range of its innovative solutions built from the ground up to protect the connected-car ecosystem: xZETA, which offers robust capabilities for tackling software bill of materials (SBOM) and zero-day vulnerabilities Smart Cockpit Protection, which leverages AI-driven security to safeguard automotive smart cockpits from data breaches and AI-targeted attacks xCarbon, which leverages edge AI processing to analyzes vehicle data in real time, enabling early detection and prevention of cyberattacks on and malfunctions in in-vehicle electronic control units (ECUs) xNexus, the Vehicle Security Operations Center (VSOC) support platform Various security-related services, including risk analysis using the threat assessment and remediation analysis (TARA) process and Penetration Testing xScope, which uses advanced techniques to identify vulnerabilities, recommends specific improvements, and provides customized reports based on client needs The VicOne booth at Automotive World 2025 also featured the company's collaborative initiatives with its partner companies. VicOne's strategic partnerships include original equipment manufacturers (OEMs), hardware suppliers, semiconductor vendors, software developers and service providers. Founded and singularly focused on spearheading innovation in vehicle cybersecurity, VicOne, the market leader of automotive cybersecurity, provides the most advanced and comprehensive solutions to the automotive industry and galvanizes collective expertise from the sector's broadest cast of best-of-breed partners. OEMs and suppliers trust VicOne's purpose-built solutions to stay ahead of evolving threats and safeguard vehicles, drivers and sensitive data. For more information on VicOne's holistic approach to cybersecurity—spanning software, hardware and supply-chain ecosystems—please visit About VicOne With a vision to secure the vehicles of tomorrow, VicOne delivers a broad portfolio of cybersecurity software and services for the automotive industry. Purpose-built to address the rigorous needs of automotive manufacturers and suppliers, VicOne solutions are designed to secure and scale with the specialized demands of the modern vehicle. As a Trend Micro subsidiary, VicOne is powered by a solid foundation in cybersecurity drawn from Trend Micro's 30+ years in the industry, delivering unparalleled automotive protection and deep security insights that enable our customers to build secure as well as smart vehicles. For more information, visit About Zero Day Initiative (ZDI) The Zero Day Initiative (ZDI) was launched by Trend Micro in July 2005 to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers. Today, the ZDI represents the world's largest vendor-agnostic bug bounty program. For more information, visit About Trend Micro Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, Trend Micro's AI-powered cybersecurity platform protects hundreds of thousands of organizations and millions of individuals across clouds, networks, devices, and endpoints. As a leader in cloud and enterprise cybersecurity, Trend's platform delivers a powerful range of advanced threat defense techniques optimized for environments like AWS, Microsoft, and Google, and central visibility for better, faster detection and response. With 7,000 employees across 70 countries, Trend Micro enables organizations to simplify and secure their connected world. For more information, visit View source version on Contacts U.S. Media Contacts: Vivian Kelly Interprose for VicOne+1 703.509.5412viviankelly@ Jill Miley Interprose for VicOne+1
