Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/27/2013
03:22 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft's Big Bucks For Bugs Ups The Ante

How Microsoft's new bug bounty program will play in the quest for more secure software

When Microsoft senior security strategist Katie Moussouris was asked two years ago whether Microsoft would ever consider a bug bounty program of its own, she left the door open ever so slightly on whether the software giant would abandon its longtime philosophy of not paying for vulnerability finds.

"We continue to evaluate the best way to collaborate with the research community, and we'll let you know if anything changes there," Moussouris said at the launch of the BlueHat Prize when Dark Reading asked her whether Microsoft would ever offer a full-blown bug bounty program.

Fast-forward to today: Microsoft has now officially kicked off a newly announced, game-changing three-part bug bounty program. It represents a major shift in strategy for Microsoft, and in what could become the new normal for major security vendors -- officially enlisting and paying big bucks for the third-party discovery of key security holes in their products. The software giant was a conspicuous holdout in bug bounties, while Google, Mozilla, Facebook, and PayPal already had such programs in place.

There's no such thing as bug-free software, of course, but security experts say Microsoft's new bounty program -- announced last week -- could go a long way to make its software safer because it will catch bugs in prerelease versions of its products, before they are widely deployed. Microsoft's program differs from other vendors' in that it also emphasizes the discovery of new defenses -- not just new flaws.

"We'll never be in front -- it is always a response game" in vulnerability discovery, says Trey Ford, general manager of Black Hat. "Microsoft's strategy speaks to a coordinated process ... with an articulated program that speaks to their strategy, looking for vulns and exploits tied to those mechanisms so they can reinforce those defenses.

"Microsoft made a very wise play for key defense mechanisms to focus this bug bounty program on," Ford says.

Microsoft's new program offers $100,000 for exploits that can bypass Microsoft's mitigation defense technologies in Windows 8.1 Preview; up to $50,000 for new defense techniques for that platform; and up to $11,000 for critical security flaw finds in the preview version of the new Internet Explorer, version 11, on Windows 8.1. The IE11 bounty is being offered through July 26, while the preview version is available.

It doesn't replace Microsoft's annual BlueHat Prize contest, however, which Microsoft awarded for the first time last year at Black Hat for a defense method to fight memory-safety exploitation attacks. But it does play off the same theme of finding new attack mitigation methods.

With the mitigation bypass bounty, for instance, Microsoft is looking for new techniques that can break its latest platform's attack mitigations, Moussouris said in an interview with Dark Reading this week. "We didn't want to wait for another contest," she says. "You can get an extra $50,000 for a new attack [on our mitigation defenses] if you can come up with a way" to defend it as well, she says.

Moussouris says the programs are aimed at catching bugs before they get weaponized. In the case of the IE 11 preview version, the goal is to get any bugs found sooner, before the browser goes into final release form. "We wanted to address them as early as possible," she says.

[Vulnerability advisories are increasingly accompanied by a patch these days, indicating that researchers and software firms are working more closely. See Coordinated Disclosure, Bug Bounties Help Speed Patches.]

Andrew Storms, director of security operations for Tripwire, says Microsoft's bounty programs benefit both users and researchers. "This is a big step forward for Microsoft consumers because it should result in fewer bugs in released products. It's also great for security researchers since they now have incentives to find and report Microsoft bugs instead of using them in less beneficial ways," Storms says.

The programs could also help narrow the window for attackers. But that doesn't mean Microsoft will have a set patch deadline: "Each vulnerability is going to be different in terms of the investigation time it requires," Moussouris says. "What users will be able to see is that we're getting advanced knowledge of vulnerabilities and bypasses or holes in the shield of our platform earlier -- a lot earlier than waiting for a particular [hacking] contest."

About-Face
So what really pushed Microsoft to start paying for vulnerabilities in its software?

"We looked at the data for what finders were doing with vulnerabilities ... most finders [in the past three years] were coming directly to us even though there are white-market brokers out there," Moussouris says. "At the time, it made sense for us to continue to do what we were doing with individual vulnerabilities and offer the BlueHat Prize."

Chris Wysopal, CTO at Veracode, says Microsoft's bug bounty reversal demonstrates its desire to work more closely with the security research community. "Microsoft prides themselves in taking security seriously, working with researchers -- they had the first Black Hat researcher appreciation party 10 years ago," Wysopal says. "But when Google and Facebook and a lot of others latched onto the bug bounty thing, and researchers applauded it as showing they were working with the community," Microsoft wanted to get on board there, too, he says.

While Microsoft's secure software development life cycle (SDL) program eradicated many of the security problems the vendor had suffered previously, the bug bounty problem can help it fill in additional gaps, experts say.

Wysopal says researchers are finding and selling vulns on the black market even with existing bug bounty programs available. So software vendors are faced with coming up with a counterstrategy: "You have that tension on both sides. Do I invest more on an SDLC, or am I getting diminishing returns? Or do I compete with the black market" with a bounty program, he says. "We want software to be more secure, and on the other hand, things are going on in the black market ,and you need a short-term way to address that."

With Microsoft now in the bug bounty game, the value of some exploits could rise as well, notes Black Hat's Ford. "Will it drive up the value of exploits targeting those systems? Sure. Will it throw off a rootkit for the underground? You bet," he says. "And if it's efficient, it's going to make it harder to exploit those because the window is closing faster. It turns into an arms race at that point."

The big question is which vendor will be next with a bug bounty program, Veracode's Wysopal says. "I just wonder if Oracle or Cisco would ever do this," Wysopal says. "Will they get pressured to do it, too?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.
CVE-2019-6659
PUBLISHED: 2019-11-15
On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.