Introducing the Vanguard Awards
August 05, 2024 | Brian GorencThis year at Black Hat USA, Trend Micro’s Zero Day Initiative (ZDI) will award our inaugural Vanguard Awards recognizing some of the best researchers and vendors we have dealt with over the last year. We plan on these being annual awards, with the categories changing to keep with the latest changes in the threat landscape – or if there’s someone or something we really want to highlight. Our goal is simply to highlight the good work in the community that may go unnoticed. We also want to stay positive with these awards. While it certainly may be fun to point out errors that occur, we think it’s more important to highlight the good work being done that would otherwise go unnoticed.
For the Researcher Awards, there are five categories for 2024:
1. Best use of the RF enclosure - Synacktiv
During Pwn2Own competitions, we sometimes need to use an RF enclosure (Faraday cage) to ensure the exploit demonstrated doesn’t impact real-world systems. This award goes to the individual (or team) who had the best use of the enclosure in this year’s events.
The team from Synacktiv showed their over-the-air prowess on two separate occasions. The first was during Pwn2Own Toronto, where they were able to execute a heap-based buffer overflow in the kernel triggered via Wi-Fi leading to remote code execution against the Wyze Cam v3. Then, at Pwn2Own Automotive, they used a three-bug chain to exploit the Tesla Modem.
2. Most Prolific Researcher - 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044
This award is given to the researcher who contracted the most cases in the last year. This means their submissions were actually purchased by the ZDI. This award reflects the hard work and dedication researchers put in throughout the year to help protect Trend Micro customers and others. The bugs they submit get patched rather than re-sold and exploited.
This year, we recognize the work of 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044. Of course, that’s not their real name. They wish to remain anonymous, and we respect that. Still, their continued work has resulted in almost 100 CVEs since 2023 in ICS and enterprise applications. We are happy to continue to work with this researcher and anticipate more great research from them in the future.
3. Most Likely to Keep Incident Responders Awake - Mark Yason
Not all bugs are created equal. Some are more esoteric while others are straightforward and likely to be exploited. These submissions show a level of practicality vendors appreciate, and threat actors do, too.
The bugs submitted by Mark Yason are just these types of bugs. They are straightforward and practical. More than one has been used in-the-wild after being patched by the vendor. His continued excellence has earned him Gold status with the ZDI and caffeine status with incident responders.
4. Best Use of AI - Sina Kheirkhah
This award goes to the researcher who had the best use of Artificial Intelligence throughout the year. This could be demonstrated at a Pwn2Own event or a regular case submission.
During the inaugural Pwn2Own Automotive competition, Sina used ChatGPT to help debug an issue he was having with one of his exploits while on stage. Although the LLM didn’t write the exploit or find the bug, it showed how an inventive researcher can use AI to assist in writing exploit code.
5. Most In-Depth Submissions - Marcin Wiązowski
Not all submissions are equal. Some truly stand out amongst others. This category recognizes the researcher who continually goes above and beyond in their submissions, including write-ups and code examples. Their submissions not only help us understand the underlying vulnerability, but they help the vendor understand it as well.
Marcin Wiązowski is a regular submitter to the program and a Pwn2Own winner as well. His reports are consistently next-level, providing such a thorough analysis that the ZDI rarely needs to add anything before submitting his bugs to the vendor. Some of his reports have also been used as guest blogs for the ZDI, with little changes or editing needed.
Moving on to the Vendor Awards, here are the five categories for 2024:
1. Best security advisories - Adobe
Security advisories are one of the best tools in the defender’s arsenal to gauge the risk to their enterprise, but not all advisories provide accurate, thorough information. This award goes to the vendor who consistently provides clear, actionable information in an easy-to-read format.
This year, we would like to recognize Adobe for its consistently excellent security advisories. Delivered every second Tuesday of the month, the advisories provide administrators with the information they need to judge the risks to their systems without giving too much away for attackers to use. They also highlight the work of the many researchers reporting bugs to them with their acknowledgments.
2. Most transparent communication - Solarwinds
Not every communication between the ZDI and vendors goes smoothly. That’s why it is important to highlight the vendors who are honest and transparent with their communications, even if they are communicating bad news.
Over the last 18 months, the communications between SolarWinds and the ZDI have been just that. They are open and honest about their security posture, even to the point of being blunt. They have been proactive and open to working with our researchers to learn what is required to fix certain vulnerabilities.
3. Most collaborative vendor - Tesla Motors
Not all vendors are happy to hear from the ZDI, but some collaborate with us to strengthen their products or services. This award goes to the vendor who went above and beyond in their work with the Zero Day Initiative.
This year, we are proud to recognize the continuing partnership we have with Tesla Motors. Beginning with Pwn2Own Vancouver in 2019, they have helped the ZDI showcase some of the best automotive research in the world. They were also instrumental in helping the first-ever Pwn2Own Automotive be such a success. We look forward to working with them in the future.
4. Most improved vendor - Ivanti
Not every vendor starts with a fantastic response process. There’s often a learning curve, and it’s usually painful. However, we want to recognize the vendor who has made significant improvements to their responsiveness and security update process.
Ivanti had a rough start to 2024, but CEO Jeff Abbott set out to, “look critically at every phase of our processes, and every product, to ensure the highest level of protection for our customers.” Here at the ZDI, we’ve seen this improvement firsthand as we continue to report vulnerabilities to them.
5. Fastest to patch - Mozilla
When dealing with as many disclosures as we do, it’s good to recognize those vendors who take bug reports seriously and patch them as fast as possible.
Earlier this year at Pwn2Own Vancouver, Mozilla patched the bugs used by Manfred Paul to achieve his sandbox escape of Mozilla Firefox within 48 hours of receiving the bugs. This rapid reaction shows their dedication to resolving bugs as fast as possible – especially when they are demonstrated on stage.
The Ceremony
The award ceremony itself will take place at the Trend Micro booth on the show floor at noon local time. We will present several of these awards in person and have some special video messages from those who cannot attend in person. We hope you can be there as well. If you’re unable to attend, follow us on Twitter, Mastodon, LinkedIn, or Instagram for the results.
Hoping to see you in Vegas!