"We continue to evaluate the best way to collaborate with the research community, and we'll let you know if anything changes there," Moussouris said at the launch of the BlueHat Prize when Dark Reading asked her whether Microsoft would ever offer a full-blown bug bounty program.
Fast-forward to today: Microsoft has now officially kicked off a newly announced, game-changing three-part bug bounty program. It represents a major shift in strategy for Microsoft, and in what could become the new normal for major security vendors -- officially enlisting and paying big bucks for the third-party discovery of key security holes in their products. The software giant was a conspicuous holdout in bug bounties, while Google, Mozilla, Facebook, and PayPal already had such programs in place.
There's no such thing as bug-free software, of course, but security experts say Microsoft's new bounty program -- announced last week -- could go a long way to make its software safer because it will catch bugs in prerelease versions of its products, before they are widely deployed. Microsoft's program differs from other vendors' in that it also emphasizes the discovery of new defenses -- not just new flaws.
"We'll never be in front -- it is always a response game" in vulnerability discovery, says Trey Ford, general manager of Black Hat. "Microsoft's strategy speaks to a coordinated process ... with an articulated program that speaks to their strategy, looking for vulns and exploits tied to those mechanisms so they can reinforce those defenses.
"Microsoft made a very wise play for key defense mechanisms to focus this bug bounty program on," Ford says.
Microsoft's new program offers $100,000 for exploits that can bypass Microsoft's mitigation defense technologies in Windows 8.1 Preview; up to $50,000 for new defense techniques for that platform; and up to $11,000 for critical security flaw finds in the preview version of the new Internet Explorer, version 11, on Windows 8.1. The IE11 bounty is being offered through July 26, while the preview version is available.
It doesn't replace Microsoft's annual BlueHat Prize contest, however, which Microsoft awarded for the first time last year at Black Hat for a defense method to fight memory-safety exploitation attacks. But it does play off the same theme of finding new attack mitigation methods.
With the mitigation bypass bounty, for instance, Microsoft is looking for new techniques that can break its latest platform's attack mitigations, Moussouris said in an interview with Dark Reading this week. "We didn't want to wait for another contest," she says. "You can get an extra $50,000 for a new attack [on our mitigation defenses] if you can come up with a way" to defend it as well, she says.
Moussouris says the programs are aimed at catching bugs before they get weaponized. In the case of the IE 11 preview version, the goal is to get any bugs found sooner, before the browser goes into final release form. "We wanted to address them as early as possible," she says.
[Vulnerability advisories are increasingly accompanied by a patch these days, indicating that researchers and software firms are working more closely. See Coordinated Disclosure, Bug Bounties Help Speed Patches.]
Andrew Storms, director of security operations for Tripwire, says Microsoft's bounty programs benefit both users and researchers. "This is a big step forward for Microsoft consumers because it should result in fewer bugs in released products. It's also great for security researchers since they now have incentives to find and report Microsoft bugs instead of using them in less beneficial ways," Storms says.
The programs could also help narrow the window for attackers. But that doesn't mean Microsoft will have a set patch deadline: "Each vulnerability is going to be different in terms of the investigation time it requires," Moussouris says. "What users will be able to see is that we're getting advanced knowledge of vulnerabilities and bypasses or holes in the shield of our platform earlier -- a lot earlier than waiting for a particular [hacking] contest."
So what really pushed Microsoft to start paying for vulnerabilities in its software?
"We looked at the data for what finders were doing with vulnerabilities ... most finders [in the past three years] were coming directly to us even though there are white-market brokers out there," Moussouris says. "At the time, it made sense for us to continue to do what we were doing with individual vulnerabilities and offer the BlueHat Prize."
Chris Wysopal, CTO at Veracode, says Microsoft's bug bounty reversal demonstrates its desire to work more closely with the security research community. "Microsoft prides themselves in taking security seriously, working with researchers -- they had the first Black Hat researcher appreciation party 10 years ago," Wysopal says. "But when Google and Facebook and a lot of others latched onto the bug bounty thing, and researchers applauded it as showing they were working with the community," Microsoft wanted to get on board there, too, he says.
While Microsoft's secure software development life cycle (SDL) program eradicated many of the security problems the vendor had suffered previously, the bug bounty problem can help it fill in additional gaps, experts say.
Wysopal says researchers are finding and selling vulns on the black market even with existing bug bounty programs available. So software vendors are faced with coming up with a counterstrategy: "You have that tension on both sides. Do I invest more on an SDLC, or am I getting diminishing returns? Or do I compete with the black market" with a bounty program, he says. "We want software to be more secure, and on the other hand, things are going on in the black market ,and you need a short-term way to address that."
With Microsoft now in the bug bounty game, the value of some exploits could rise as well, notes Black Hat's Ford. "Will it drive up the value of exploits targeting those systems? Sure. Will it throw off a rootkit for the underground? You bet," he says. "And if it's efficient, it's going to make it harder to exploit those because the window is closing faster. It turns into an arms race at that point."
The big question is which vendor will be next with a bug bounty program, Veracode's Wysopal says. "I just wonder if Oracle or Cisco would ever do this," Wysopal says. "Will they get pressured to do it, too?"
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.