ZDI-powered vulnerabilities from the TrendAI™ Zero Day Initiative (ZDI) are surfaced in Threat and Exposure Management, providing advance visibility into high-severity vulnerabilities before public disclosure.
TrendAI Vision One™ integrates intelligence from the TrendAI™ Zero Day Initiative (ZDI), the world's largest vendor-agnostic bug bounty program,
to generate risk events for vulnerabilities that have not yet been publicly disclosed.
When ZDI researchers discover a vulnerability, vulnerability details remain confidential
while the affected vendor develops a fix. ZDI-powered vulnerabilities give you advance
warning during this pre-disclosure period so you can take protective action before
a public advisory or CVE is published.
The ZDI responsible disclosure process follows these stages:
-
Security researchers submit a vulnerability to ZDI.
-
ZDI assigns an internal pre-disclosure tracking identifier called a ZDI-CAN ID (for example, ZDI-CAN-28894) and notifies the affected vendor.
-
The vendor typically has 120 days to develop and release a fix.
-
At public disclosure, ZDI publishes an advisory with a ZDI ID (for example, ZDI-25-423). If the vendor acknowledges the vulnerability, a CVE ID is assigned. Some vulnerabilities may never receive a CVE ID.
TrendAI Vision One™ generates the following risk event types based on the disclosure phase of a ZDI vulnerability.
Each asset receives one risk event per vulnerability. ZDI-powered vulnerabilities
are linked to any associated CVE risk events and are not duplicated for the same vulnerability
on the same asset.
ZDI-powered risk event types
|
Risk event type
|
Description
|
Disclosure phase
|
|
ZDI vulnerability alert
|
Generated when an asset is detected running a software version known to be affected
by a pre-disclosure ZDI vulnerability. Vulnerability details are not disclosed until
the vendor patch is available or the ZDI disclosure deadline passes.
|
Pre-disclosure (ZDI-CAN ID only)
|
|
Time-critical vulnerability alert
|
Generated when ZDI publicly discloses a vulnerability and an asset is detected as
affected. The vulnerability may be a zero-day (no patch available) or N-day (patch
available but not yet applied) vulnerability.
|
Post-disclosure (ZDI ID assigned)
|
The ZDI vulnerability profile includes a disclosure timeline showing the full lifecycle
of a ZDI vulnerability, from initial discovery through vendor notification, attack
prevention/detection rule availability, public disclosure, and patch release. The
timeline updates as the vulnerability progresses through each phase.
ZDI-powered vulnerabilities are identified in Threat and Exposure Management with a ZDI badge. To find a specific ZDI vulnerability by identifier, search by the
ZDI-CAN ID or ZDI ID. If a CVE has been assigned, the vulnerability can still be located
using the ZDI identifier.
Each ZDI vulnerability profile displays the following information.
ZDI vulnerability profile details
|
Detail
|
Description
|
|
Common Vulnerability Scoring System (CVSS) score
|
Severity score based on the vulnerability characteristics.
|
|
Affected vendor and products
|
The vendor and product names associated with the vulnerability.
|
|
Vulnerable versions
|
Validated, confirmed vulnerable versions and possible vulnerable versions based on
available information.
|
|
Disclosure timeline
|
A phased view of the vulnerability lifecycle showing vendor notification, attack prevention/detection
rule availability, public disclosure, and patch release milestones.
|
|
Attack prevention/detection rules
|
Attack prevention/detection rules available for the vulnerability, applied through
TrendAI Vision One™ capabilities such as Network Security or Endpoint Security.
|
|
Mitigation options
|
Suggested actions to reduce risk exposure on the affected asset.
|
|
References
|
Links to the ZDI advisory and other relevant sources.
|
When a ZDI-powered vulnerability is detected on an asset, you can help prevent exploitation
using the following mitigation measures.
Mitigation measures for ZDI risk events
|
Measure
|
Description
|
|
Apply attack prevention/detection rules
|
If attack prevention/detection rules are available for the vulnerability, apply them
through the suggested capability to reduce risk exposure while an official vendor
patch is in development.
|
|
Isolate the affected endpoint
|
Isolate the affected endpoint to prevent potential threat spread, particularly if
no attack prevention/detection rule is available or active exploitation is suspected.
|
|
Limit application exposure
|
For Windows application vulnerabilities, go to , locate the affected application, and mark the application as Untrusted to prevent the application from running until a patch is available.
|
|
Increase monitoring
|
Increase monitoring on the affected asset to detect unusual activity early and identify
potential exploitation attempts.
|
|
Plan ahead for patching
|
ZDI-powered vulnerabilities provide advance notice before a vendor patch is publicly
available. Use the lead time to prepare patching workflows so affected assets can
be patched promptly when a fix is released.
|