03:22 PM
Connect Directly

Microsoft's Big Bucks For Bugs Ups The Ante

How Microsoft's new bug bounty program will play in the quest for more secure software

When Microsoft senior security strategist Katie Moussouris was asked two years ago whether Microsoft would ever consider a bug bounty program of its own, she left the door open ever so slightly on whether the software giant would abandon its longtime philosophy of not paying for vulnerability finds.

"We continue to evaluate the best way to collaborate with the research community, and we'll let you know if anything changes there," Moussouris said at the launch of the BlueHat Prize when Dark Reading asked her whether Microsoft would ever offer a full-blown bug bounty program.

Fast-forward to today: Microsoft has now officially kicked off a newly announced, game-changing three-part bug bounty program. It represents a major shift in strategy for Microsoft, and in what could become the new normal for major security vendors -- officially enlisting and paying big bucks for the third-party discovery of key security holes in their products. The software giant was a conspicuous holdout in bug bounties, while Google, Mozilla, Facebook, and PayPal already had such programs in place.

There's no such thing as bug-free software, of course, but security experts say Microsoft's new bounty program -- announced last week -- could go a long way to make its software safer because it will catch bugs in prerelease versions of its products, before they are widely deployed. Microsoft's program differs from other vendors' in that it also emphasizes the discovery of new defenses -- not just new flaws.

"We'll never be in front -- it is always a response game" in vulnerability discovery, says Trey Ford, general manager of Black Hat. "Microsoft's strategy speaks to a coordinated process ... with an articulated program that speaks to their strategy, looking for vulns and exploits tied to those mechanisms so they can reinforce those defenses.

"Microsoft made a very wise play for key defense mechanisms to focus this bug bounty program on," Ford says.

Microsoft's new program offers $100,000 for exploits that can bypass Microsoft's mitigation defense technologies in Windows 8.1 Preview; up to $50,000 for new defense techniques for that platform; and up to $11,000 for critical security flaw finds in the preview version of the new Internet Explorer, version 11, on Windows 8.1. The IE11 bounty is being offered through July 26, while the preview version is available.

It doesn't replace Microsoft's annual BlueHat Prize contest, however, which Microsoft awarded for the first time last year at Black Hat for a defense method to fight memory-safety exploitation attacks. But it does play off the same theme of finding new attack mitigation methods.

With the mitigation bypass bounty, for instance, Microsoft is looking for new techniques that can break its latest platform's attack mitigations, Moussouris said in an interview with Dark Reading this week. "We didn't want to wait for another contest," she says. "You can get an extra $50,000 for a new attack [on our mitigation defenses] if you can come up with a way" to defend it as well, she says.

Moussouris says the programs are aimed at catching bugs before they get weaponized. In the case of the IE 11 preview version, the goal is to get any bugs found sooner, before the browser goes into final release form. "We wanted to address them as early as possible," she says.

[Vulnerability advisories are increasingly accompanied by a patch these days, indicating that researchers and software firms are working more closely. See Coordinated Disclosure, Bug Bounties Help Speed Patches.]

Andrew Storms, director of security operations for Tripwire, says Microsoft's bounty programs benefit both users and researchers. "This is a big step forward for Microsoft consumers because it should result in fewer bugs in released products. It's also great for security researchers since they now have incentives to find and report Microsoft bugs instead of using them in less beneficial ways," Storms says.

The programs could also help narrow the window for attackers. But that doesn't mean Microsoft will have a set patch deadline: "Each vulnerability is going to be different in terms of the investigation time it requires," Moussouris says. "What users will be able to see is that we're getting advanced knowledge of vulnerabilities and bypasses or holes in the shield of our platform earlier -- a lot earlier than waiting for a particular [hacking] contest."

So what really pushed Microsoft to start paying for vulnerabilities in its software?

"We looked at the data for what finders were doing with vulnerabilities ... most finders [in the past three years] were coming directly to us even though there are white-market brokers out there," Moussouris says. "At the time, it made sense for us to continue to do what we were doing with individual vulnerabilities and offer the BlueHat Prize."

Chris Wysopal, CTO at Veracode, says Microsoft's bug bounty reversal demonstrates its desire to work more closely with the security research community. "Microsoft prides themselves in taking security seriously, working with researchers -- they had the first Black Hat researcher appreciation party 10 years ago," Wysopal says. "But when Google and Facebook and a lot of others latched onto the bug bounty thing, and researchers applauded it as showing they were working with the community," Microsoft wanted to get on board there, too, he says.

While Microsoft's secure software development life cycle (SDL) program eradicated many of the security problems the vendor had suffered previously, the bug bounty problem can help it fill in additional gaps, experts say.

Wysopal says researchers are finding and selling vulns on the black market even with existing bug bounty programs available. So software vendors are faced with coming up with a counterstrategy: "You have that tension on both sides. Do I invest more on an SDLC, or am I getting diminishing returns? Or do I compete with the black market" with a bounty program, he says. "We want software to be more secure, and on the other hand, things are going on in the black market ,and you need a short-term way to address that."

With Microsoft now in the bug bounty game, the value of some exploits could rise as well, notes Black Hat's Ford. "Will it drive up the value of exploits targeting those systems? Sure. Will it throw off a rootkit for the underground? You bet," he says. "And if it's efficient, it's going to make it harder to exploit those because the window is closing faster. It turns into an arms race at that point."

The big question is which vendor will be next with a bug bounty program, Veracode's Wysopal says. "I just wonder if Oracle or Cisco would ever do this," Wysopal says. "Will they get pressured to do it, too?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.