A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher...
Transcript of A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher...
![Page 1: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/1.jpg)
A Day in the Life of a Vulnerability Researcher
Vincent LeeVulnerability Researcher
![Page 2: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/2.jpg)
2 Copyright 2017 Trend Micro Inc.2
Who am I?
•Vulnerability Researcher @ ZDI
•BASc Computer Engineering
•Twitter: @trendytofu
![Page 3: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/3.jpg)
What is ZDI?and what do we do?
![Page 4: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/4.jpg)
4 Copyright 2017 Trend Micro Inc.4
World’s largest vendor agnostic bug bounty program
ZERO DAY INITIATIVE
![Page 5: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/5.jpg)
5 Copyright 2017 Trend Micro Inc.
How it works
Trend Micro Customers Protected Ahead of Patch
Other Network Security Vendor’s Customers at Risk
Vulnerability submitted to the
ZDI program
Vendor Notified
Digital Vaccine®
Filter Created
Vendor Response Window
Vulnerability is Patched or Remains
Unfixed
Public Disclosure
![Page 6: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/6.jpg)
Copyright 2018 Trend Micro Inc.6
Law EnforcementIndustry
Coordinated disclosure
Consumers Business Government
Public/Private Partnerships
Alerts, blogs, news, reports, guidance
Free tools
Insights to improve Trend Micro’s core technology and products
Trend Micro Research
24X7 response, security updates, IPS rules…
Threats Vulnerabilities & Exploits
Cybercriminal Undergrounds
IoT OT / IIoTAI &Machine Learning
Future Threat Landscape
Targeted Attacks
Healthcare
![Page 7: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/7.jpg)
Copyright 2017 Trend Micro Inc.
Targeted Incentive Program
![Page 8: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/8.jpg)
Copyright 2017 Trend Micro Inc.
Pwn2Own Organizer
![Page 9: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/9.jpg)
TheExploitEconomy
![Page 10: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/10.jpg)
10 Copyright 2017 Trend Micro Inc.
Evolving Marketplace
SECURITY RESEARCHERS and HACKERS have a multitude of options available to sell their BUGS
White Market Grey Market Black Market
![Page 11: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/11.jpg)
11 Copyright 2017 Trend Micro Inc.
Marketplace
White Market
Security Vendors
Bug Bounty Programs
Gray Market
Exploit Brokers
Exploit Shops
Exploit Intelligence Marketplace
![Page 12: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/12.jpg)
12 Copyright 2017 Trend Micro Inc.
Economy in Action
ResearchersFinds Bugs
Bug BountyProgram
Report to Vendor
Sell Report$1K - $25K
Signatures
Exploit Writer
$10K - $100K
Vuln Broker
Government
$10K - $1000K
$10K - $1000K
UsedAgainst??
Bot HerderBotnet Creator Compromises PCs
Sells Exploit Rents Botnet
Spammer DDoS Extortion Credential Harvesting
Smart Criminal Make One Big Purchase
Sells Stolen Creds
Dumb Criminal Buys Beer & Chips
Re-Sells Stolen Creds
![Page 13: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/13.jpg)
13 Copyright 2017 Trend Micro Inc.
Economy in Action
ResearchersFinds Bugs
Bug BountyProgram
Report to Vendor
Sell Report$1K - $25K
Signatures
Completely Legal*
![Page 14: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/14.jpg)
14 Copyright 2017 Trend Micro Inc.
Economy in Action
ResearchersFinds Bugs
Vuln Broker
Government
$10K - $1000K
$10K - $1000K
UsedAgainst??
Mostly Legal*
![Page 15: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/15.jpg)
15 Copyright 2017 Trend Micro Inc.
Economy in Action
ResearchersFinds Bugs
Exploit Writer
$10K - $100K
Bot HerderBotnet Creator Compromises PCs
Sells Exploit Rents Botnet
Spammer DDoS Extortion Credential Harvesting
Smart Criminal Make One Big Purchase
Sells Stolen Creds
Dumb Criminal Buys Beer & Chips
Re-Sells Stolen Creds
Definitely Not Legal*
![Page 16: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/16.jpg)
16 Copyright 2017 Trend Micro Inc. 16
Responsibilities
![Page 17: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/17.jpg)
17 Copyright 2017 Trend Micro Inc.
•Review report•Acquire/install/configure product•Run PoC and debug•Reverse engineering to find out root cause, and determine exploitability •Offer•Detection guidance
Triage process in a nutshell
![Page 18: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/18.jpg)
ZDI-19-508CVE-2019-7824
![Page 19: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/19.jpg)
19 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 20: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/20.jpg)
20 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 21: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/21.jpg)
21 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 22: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/22.jpg)
22 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 23: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/23.jpg)
23 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 24: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/24.jpg)
24 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 25: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/25.jpg)
25 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 26: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/26.jpg)
26 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 27: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/27.jpg)
27 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 28: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/28.jpg)
28 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 29: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/29.jpg)
29 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 30: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/30.jpg)
30 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 31: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/31.jpg)
31 Copyright 2017 Trend Micro Inc.
ZDI-19-508
![Page 32: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/32.jpg)
Pwn2Own
![Page 33: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/33.jpg)
33 Copyright 2017 Trend Micro Inc.
Pwn2Own
![Page 34: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/34.jpg)
34 Copyright 2017 Trend Micro Inc.
Pwn2Own
•CanSecWest - Vancouver(March)
•PacSec – Tokyo (November)
![Page 35: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/35.jpg)
35 Copyright 2017 Trend Micro Inc.
Pwn2Own
![Page 36: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/36.jpg)
36 Copyright 2017 Trend Micro Inc.
Pwn2Own
![Page 37: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/37.jpg)
37 Copyright 2017 Trend Micro Inc.
Pwn2Own
![Page 38: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/38.jpg)
38 Copyright 2017 Trend Micro Inc.
Pwn2Own
![Page 39: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/39.jpg)
39 Copyright 2017 Trend Micro Inc.
Pwn2Own
![Page 40: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/40.jpg)
40 Copyright 2017 Trend Micro Inc.
Pwn2Own
![Page 41: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/41.jpg)
41 Copyright 2017 Trend Micro Inc. 41
Research
![Page 42: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/42.jpg)
42 Copyright 2017 Trend Micro Inc. 42
Research
https://www.zerodayinitiative.com/blog/
![Page 43: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/43.jpg)
43 Copyright 2017 Trend Micro Inc. 43
Find us at these conferences
![Page 44: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/44.jpg)
44 Copyright 2017 Trend Micro Inc.
Plugging In
https://www.zerodayinitiative.com
@thezdi
PGP https://www.zerodayinitiative.com/documents/zdi-pgp-key.ascFingerprint: 743F 60DB 46EA C4A0 1F7D B545 8088 FEDF 9A5F D228
![Page 45: A Day in the Life of a Vulnerability Researcher · A Day in the Life of a Vulnerability Researcher Vincent Lee Vulnerability Researcher. 22 Copyright 2017 Trend Micro Inc. Who am](https://reader030.fdocuments.in/reader030/viewer/2022040402/5e7dcde5ead4587aa9490cfa/html5/thumbnails/45.jpg)
QuestionsThank you for your time and attention