Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/27/2013
03:22 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft's Big Bucks For Bugs Ups The Ante

How Microsoft's new bug bounty program will play in the quest for more secure software

When Microsoft senior security strategist Katie Moussouris was asked two years ago whether Microsoft would ever consider a bug bounty program of its own, she left the door open ever so slightly on whether the software giant would abandon its longtime philosophy of not paying for vulnerability finds.

"We continue to evaluate the best way to collaborate with the research community, and we'll let you know if anything changes there," Moussouris said at the launch of the BlueHat Prize when Dark Reading asked her whether Microsoft would ever offer a full-blown bug bounty program.

Fast-forward to today: Microsoft has now officially kicked off a newly announced, game-changing three-part bug bounty program. It represents a major shift in strategy for Microsoft, and in what could become the new normal for major security vendors -- officially enlisting and paying big bucks for the third-party discovery of key security holes in their products. The software giant was a conspicuous holdout in bug bounties, while Google, Mozilla, Facebook, and PayPal already had such programs in place.

There's no such thing as bug-free software, of course, but security experts say Microsoft's new bounty program -- announced last week -- could go a long way to make its software safer because it will catch bugs in prerelease versions of its products, before they are widely deployed. Microsoft's program differs from other vendors' in that it also emphasizes the discovery of new defenses -- not just new flaws.

"We'll never be in front -- it is always a response game" in vulnerability discovery, says Trey Ford, general manager of Black Hat. "Microsoft's strategy speaks to a coordinated process ... with an articulated program that speaks to their strategy, looking for vulns and exploits tied to those mechanisms so they can reinforce those defenses.

"Microsoft made a very wise play for key defense mechanisms to focus this bug bounty program on," Ford says.

Microsoft's new program offers $100,000 for exploits that can bypass Microsoft's mitigation defense technologies in Windows 8.1 Preview; up to $50,000 for new defense techniques for that platform; and up to $11,000 for critical security flaw finds in the preview version of the new Internet Explorer, version 11, on Windows 8.1. The IE11 bounty is being offered through July 26, while the preview version is available.

It doesn't replace Microsoft's annual BlueHat Prize contest, however, which Microsoft awarded for the first time last year at Black Hat for a defense method to fight memory-safety exploitation attacks. But it does play off the same theme of finding new attack mitigation methods.

With the mitigation bypass bounty, for instance, Microsoft is looking for new techniques that can break its latest platform's attack mitigations, Moussouris said in an interview with Dark Reading this week. "We didn't want to wait for another contest," she says. "You can get an extra $50,000 for a new attack [on our mitigation defenses] if you can come up with a way" to defend it as well, she says.

Moussouris says the programs are aimed at catching bugs before they get weaponized. In the case of the IE 11 preview version, the goal is to get any bugs found sooner, before the browser goes into final release form. "We wanted to address them as early as possible," she says.

[Vulnerability advisories are increasingly accompanied by a patch these days, indicating that researchers and software firms are working more closely. See Coordinated Disclosure, Bug Bounties Help Speed Patches.]

Andrew Storms, director of security operations for Tripwire, says Microsoft's bounty programs benefit both users and researchers. "This is a big step forward for Microsoft consumers because it should result in fewer bugs in released products. It's also great for security researchers since they now have incentives to find and report Microsoft bugs instead of using them in less beneficial ways," Storms says.

The programs could also help narrow the window for attackers. But that doesn't mean Microsoft will have a set patch deadline: "Each vulnerability is going to be different in terms of the investigation time it requires," Moussouris says. "What users will be able to see is that we're getting advanced knowledge of vulnerabilities and bypasses or holes in the shield of our platform earlier -- a lot earlier than waiting for a particular [hacking] contest."

About-Face
So what really pushed Microsoft to start paying for vulnerabilities in its software?

"We looked at the data for what finders were doing with vulnerabilities ... most finders [in the past three years] were coming directly to us even though there are white-market brokers out there," Moussouris says. "At the time, it made sense for us to continue to do what we were doing with individual vulnerabilities and offer the BlueHat Prize."

Chris Wysopal, CTO at Veracode, says Microsoft's bug bounty reversal demonstrates its desire to work more closely with the security research community. "Microsoft prides themselves in taking security seriously, working with researchers -- they had the first Black Hat researcher appreciation party 10 years ago," Wysopal says. "But when Google and Facebook and a lot of others latched onto the bug bounty thing, and researchers applauded it as showing they were working with the community," Microsoft wanted to get on board there, too, he says.

While Microsoft's secure software development life cycle (SDL) program eradicated many of the security problems the vendor had suffered previously, the bug bounty problem can help it fill in additional gaps, experts say.

Wysopal says researchers are finding and selling vulns on the black market even with existing bug bounty programs available. So software vendors are faced with coming up with a counterstrategy: "You have that tension on both sides. Do I invest more on an SDLC, or am I getting diminishing returns? Or do I compete with the black market" with a bounty program, he says. "We want software to be more secure, and on the other hand, things are going on in the black market ,and you need a short-term way to address that."

With Microsoft now in the bug bounty game, the value of some exploits could rise as well, notes Black Hat's Ford. "Will it drive up the value of exploits targeting those systems? Sure. Will it throw off a rootkit for the underground? You bet," he says. "And if it's efficient, it's going to make it harder to exploit those because the window is closing faster. It turns into an arms race at that point."

The big question is which vendor will be next with a bug bounty program, Veracode's Wysopal says. "I just wonder if Oracle or Cisco would ever do this," Wysopal says. "Will they get pressured to do it, too?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.