From Buffer Overflows to Breaking AI: Two Decades of ZDI Vulnerability Research

No ratings

Presented at Power of Community 2025 by

Brian Gorenc

As Power of Community and the Zero Day Initiative both mark 20 years, it’s time to reflect on how vulnerability research grew from an underground hobby into a global industry. What began as a scrappy side project at TippingPoint evolved into the world’s largest vendor-agnostic bug bounty program—one that’s paid tens of millions of dollars to researchers, disclosed more than 16,000 vulnerabilities, and convinced the industry (mostly) that disclosure beats chaos. Over two decades, the ZDI has witnessed the shift from buffer overflows to exploit chains spanning a dozen bugs, from desktop exploits to attacks on connected cars, and from manual code review to AI systems discovering zero-days autonomously. Pwn2Own grew from a niche contest into a million-dollar competition, with researchers evolving from solo contributors to global teams tackling increasingly complex targets. Yet, the story is not just about progress—it’s about irony. The AI revolution now driving vulnerability discovery is built on the same fragile foundations we’ve been exploiting for decades. Memory corruption, deserialization flaws, and command injection attacks remain pervasive, even in the infrastructure behind today’s most advanced artificial intelligence systems. In effect, we are creating the most powerful vulnerability discovery engines in history and aiming them at digital systems still held together with duct tape and good intentions. This keynote will celebrate the legendary exploits and research breakthroughs that shaped the industry, explore the regulatory and community forces that defined its trajectory, and confront the beautiful contradiction of our time: can we secure the AI-powered future faster than our automated tools can break it?