A vulnerability is a weakness or error in a system or device’s code that, when exploited, can compromise the confidentiality, availability, and integrity of data stored in them through unauthorized access, elevation of privileges, or denial of service. A code or tool used to take advantage of a vulnerability is called an exploit.
Responsible vulnerability disclosure involves informing companies of the vulnerabilities discovered in their products. This allows organizations time to release a fix before the vulnerability is disclosed to the general public.
However, if the vulnerability is used in the wild before any disclosure is made, Trend Micro believes that it is our duty to release more details right away. In the case of theHacking Team leak , for instance, Trend Micro warned users that the data dumps included zero-day vulnerabilities that were being used in exploit kits and provided information on how users could protect themselves. We’ve also released advisories and technical information on various vulnerabilities, such as the recent ones in Internet Explorer, Edge, and Windows Task Scheduler, along with security best practices to help users and businesses defend against threats that exploit these flaws.
Trend Micro’s Zero Day Initiative (ZDI) works with a global community of researchers that augments ZDI’s own zero-day research and exploit intelligence. The ZDI represents the world’s largest vendor-agnostic bug bounty program, incorporating inputs, discoveries, and reports from more than 3,500 independent researchers. The ZDI’s disclosure policy entails responsibly and promptly notifying the vendors about a vulnerability while also distributing protection filters to Trend Micro. After notifications or a set timeline, and after patches have been rolled out by the vendors, the ZDI releases security advisories about the vulnerability.
Security 101: Zero-Day Vulnerabilities and Exploits
From Homes to the Office: Revisiting Network Security in the Age of the IoT
Securing the Industrial Internet of Things: Protecting Energy, Water and Oil Infrastructures
Cybercrime and Exploits: Attacks on Unpatched Systems
Security 101: Virtual Patching
Guide to Network Threats: Strengthening Network Perimeter Defenses with Next-generation Intrusion Prevention
Virtual Patching: Patch Those Vulnerabilities before They Can Be Exploited