Looking Back at the Trend ZDI Activities from 2024

It’s a new year, but before we look forward to breaking all of our resolutions, let’s pause to take a look at the year that was for Trend Zero Day Initiative™ (ZDI).

Pwn2Own Competitions Keep Exceeding Expectations

Even though we just completed Pwn2Own Automotive 2025, we would be remiss if we didn’t mention the inaugural edition that occurred in January 2024. That contest brought together some of the best automotive researchers around the globe to the biggest (literally) Pwn2Own stage in history. The event garnered more participation than expected, as we awarded a record-setting amount of $1,323,750 for the discovery of 49 unique zero-day vulnerabilities across the three days of competition. From there, we moved on to Vancouver, where Manfred Paul wowed us all by hacking Chrome, Edge, Firefox, and Safari on his way to winning Master of Pwn. That event awarded $1,132,500 for 29 unique 0-days and also saw the first Docker escape at a Pwn2Own event. We ended by moving to Ireland and our Cork offices. This contest also saw the end of remote participation and required all contestants to be onsite. Over the four days of the contest, we awarded $1,066,625 for over 70 0-day vulnerabilities. That means Pwn2Own awarded over $3,500,000 in 2024 for 148 unique 0-days.

By the Numbers

In 2024, Trend ZDI published 1,741 advisories, which is down slightly from last year’s record high of 1,913 (more on that in a bit). While not a record-setting year, we’re just fine with that total. We don’t need to set a new mark every year – it’s just not sustainable. And while we do work with some of the best researchers from around the globe, our own researchers had a great year, too. Just over 40% of all published advisories were reported by Trend ZDI security researchers. Here’s how those numbers of advisories stack up year-over-year. 

Coordinated disclosure of vulnerabilities continues to be a priority for our program, and it continues to be a success as well. While 2020 saw our largest percentage of 0-day disclosures, the number declined over the next two years. However, while this number grew in 2023, it was down slightly in 2024. It decreased from 10.2% of disclosures to 9.7% - so not too much of a change at all.

Here’s a breakdown of advisories by vendor. While the top vendor (AutoDesk) may surprise you, we’ve worked with them extensively this year to improve their products. They’ve actually been a great partner to work with. The number two vendor, Delta Electronics, should also indicate to you the state of ICS/SCADA security, which we believe is still not up to par with their enterprise counterparts. This also marks the first year that we reported more Apple bugs than Adobe bugs, but something tells me that the trend won’t continue in 2025. Speaking of Adobe, PDF parsing remains a security challenge for vendors beyond just Acrobat and Reader. Foxit, Kofax/Tungsten Automation, and PDF-XChange all had a significant number of file parsing bugs reported by Trend ZDI.

Of course, we’re always looking to acquire impactful bugs, and here’s an interesting comparison from 2023. Even though we published fewer bugs in 2024, we disclosed more Critical and High severity bugs in 2024 than we did in 2023. We put quality over quantity.

Here’s how that compares to previous years:

When it comes to the types of bugs we’re buying, here’s a look at the top 10 Common Weakness Enumerations (CWEs) from 2024:

It’s a bit disconcerting to see so many “simple” bugs, such as stack overflows and SQL injections, still account for so many bugs. Let’s hope that changes in 2025.

Looking Ahead

Moving into the new year, we anticipate staying just as busy. We just completed Pwn2Own Automotive 2025 and have a special announcement about our next Pwn2Own contest coming up soon. Don’t worry if you can’t attend in person. We’ll be streaming and posting videos of the event to just about every brand of social media available. We also have more than 350 cases waiting to be patched, and our incoming queue is overflowing as we’re still catching up.

We’re also looking to update our website and blog at some point this year. I know – I said that last year as well, but this time, I mean it. When that occurs, I promise I’ll do everything possible to ensure you will be able to choose between a light and dark theme. We’re also hoping to expand our video offerings, and I’ll continue offering the Patch Report on Patch Tuesdays and hope to tweak the format a bit in the coming year.

As always, we look forward to refining our outreach and acquisition efforts by further aligning with the risks our customers are facing to ensure the bugs we squash have the biggest impact on our customers and the broader ecosystem. In other words, 2025 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.