Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:22 PM
Connect Directly

Microsoft's Big Bucks For Bugs Ups The Ante

How Microsoft's new bug bounty program will play in the quest for more secure software

When Microsoft senior security strategist Katie Moussouris was asked two years ago whether Microsoft would ever consider a bug bounty program of its own, she left the door open ever so slightly on whether the software giant would abandon its longtime philosophy of not paying for vulnerability finds.

"We continue to evaluate the best way to collaborate with the research community, and we'll let you know if anything changes there," Moussouris said at the launch of the BlueHat Prize when Dark Reading asked her whether Microsoft would ever offer a full-blown bug bounty program.

Fast-forward to today: Microsoft has now officially kicked off a newly announced, game-changing three-part bug bounty program. It represents a major shift in strategy for Microsoft, and in what could become the new normal for major security vendors -- officially enlisting and paying big bucks for the third-party discovery of key security holes in their products. The software giant was a conspicuous holdout in bug bounties, while Google, Mozilla, Facebook, and PayPal already had such programs in place.

There's no such thing as bug-free software, of course, but security experts say Microsoft's new bounty program -- announced last week -- could go a long way to make its software safer because it will catch bugs in prerelease versions of its products, before they are widely deployed. Microsoft's program differs from other vendors' in that it also emphasizes the discovery of new defenses -- not just new flaws.

"We'll never be in front -- it is always a response game" in vulnerability discovery, says Trey Ford, general manager of Black Hat. "Microsoft's strategy speaks to a coordinated process ... with an articulated program that speaks to their strategy, looking for vulns and exploits tied to those mechanisms so they can reinforce those defenses.

"Microsoft made a very wise play for key defense mechanisms to focus this bug bounty program on," Ford says.

Microsoft's new program offers $100,000 for exploits that can bypass Microsoft's mitigation defense technologies in Windows 8.1 Preview; up to $50,000 for new defense techniques for that platform; and up to $11,000 for critical security flaw finds in the preview version of the new Internet Explorer, version 11, on Windows 8.1. The IE11 bounty is being offered through July 26, while the preview version is available.

It doesn't replace Microsoft's annual BlueHat Prize contest, however, which Microsoft awarded for the first time last year at Black Hat for a defense method to fight memory-safety exploitation attacks. But it does play off the same theme of finding new attack mitigation methods.

With the mitigation bypass bounty, for instance, Microsoft is looking for new techniques that can break its latest platform's attack mitigations, Moussouris said in an interview with Dark Reading this week. "We didn't want to wait for another contest," she says. "You can get an extra $50,000 for a new attack [on our mitigation defenses] if you can come up with a way" to defend it as well, she says.

Moussouris says the programs are aimed at catching bugs before they get weaponized. In the case of the IE 11 preview version, the goal is to get any bugs found sooner, before the browser goes into final release form. "We wanted to address them as early as possible," she says.

[Vulnerability advisories are increasingly accompanied by a patch these days, indicating that researchers and software firms are working more closely. See Coordinated Disclosure, Bug Bounties Help Speed Patches.]

Andrew Storms, director of security operations for Tripwire, says Microsoft's bounty programs benefit both users and researchers. "This is a big step forward for Microsoft consumers because it should result in fewer bugs in released products. It's also great for security researchers since they now have incentives to find and report Microsoft bugs instead of using them in less beneficial ways," Storms says.

The programs could also help narrow the window for attackers. But that doesn't mean Microsoft will have a set patch deadline: "Each vulnerability is going to be different in terms of the investigation time it requires," Moussouris says. "What users will be able to see is that we're getting advanced knowledge of vulnerabilities and bypasses or holes in the shield of our platform earlier -- a lot earlier than waiting for a particular [hacking] contest."

So what really pushed Microsoft to start paying for vulnerabilities in its software?

"We looked at the data for what finders were doing with vulnerabilities ... most finders [in the past three years] were coming directly to us even though there are white-market brokers out there," Moussouris says. "At the time, it made sense for us to continue to do what we were doing with individual vulnerabilities and offer the BlueHat Prize."

Chris Wysopal, CTO at Veracode, says Microsoft's bug bounty reversal demonstrates its desire to work more closely with the security research community. "Microsoft prides themselves in taking security seriously, working with researchers -- they had the first Black Hat researcher appreciation party 10 years ago," Wysopal says. "But when Google and Facebook and a lot of others latched onto the bug bounty thing, and researchers applauded it as showing they were working with the community," Microsoft wanted to get on board there, too, he says.

While Microsoft's secure software development life cycle (SDL) program eradicated many of the security problems the vendor had suffered previously, the bug bounty problem can help it fill in additional gaps, experts say.

Wysopal says researchers are finding and selling vulns on the black market even with existing bug bounty programs available. So software vendors are faced with coming up with a counterstrategy: "You have that tension on both sides. Do I invest more on an SDLC, or am I getting diminishing returns? Or do I compete with the black market" with a bounty program, he says. "We want software to be more secure, and on the other hand, things are going on in the black market ,and you need a short-term way to address that."

With Microsoft now in the bug bounty game, the value of some exploits could rise as well, notes Black Hat's Ford. "Will it drive up the value of exploits targeting those systems? Sure. Will it throw off a rootkit for the underground? You bet," he says. "And if it's efficient, it's going to make it harder to exploit those because the window is closing faster. It turns into an arms race at that point."

The big question is which vendor will be next with a bug bounty program, Veracode's Wysopal says. "I just wonder if Oracle or Cisco would ever do this," Wysopal says. "Will they get pressured to do it, too?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.