Microsoft Woos Hackers with Bounties for Bugs
Google and others have been doing it for years, but this week Microsoft finally jumped on board with three bug bounty programs of its own. "It could be said that they are late to the game in terms of engaging and incentivizing the broader security community, but the fact that they've reversed this and launched their own bug bounty program is fantastic," said BugCrowd CEO Casey Ellis.
Jun 21, 2013 9:55 AM PT
Following in the footsteps of rivals including Google and Mozilla, Microsoft this week hung a figurative "Wanted" sign in its Security Response Center offering rewards up to US$100,000 for those who find vulnerabilities in its software.
Specifically, the software giant on Wednesday announced three "bug bounty" programs, as they're generally known, in an effort to find and fix vulnerabilities in software including the upcoming releases of Windows 8.1 and Internet Explorer 11.
"Our new bounty programs add fresh depth and flexibility to our existing community outreach programs," Microsoft explained. "Having these bounty programs provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers."
'Truly Novel Techniques'
First among the new programs to launch next week is the ongoing Mitigation Bypass Bounty, which will pay out up to $100,000 for the identification of "truly novel exploitation techniques" in Windows 8.1 Preview.
Also ongoing is the BlueHat Bonus for Defense bounty program, which will reward up to $50,000 for defensive ideas, with the caveat that entries must accompany a qualifying Mitigation Bypass submission.
The third program, dubbed the Internet Explorer 11 Preview Bug Bounty, will run just during the Internet Explorer 11 beta period between June 26 and July 26, with tiered rewards ranging from $500 to $11,000.
Microsoft hopes to shore up any vulnerabilities before the official release of Internet Explorer 11 running on Windows 8.1, it said.
'Three Years Late'
Bug bounties are a fairly common way for Internet software companies to help identify and fix holes. Google, Mozilla, PayPal and Facebook are among the companies with longstanding bounty programs already in place.
Google, for example, rewards between $500 and $20,000 to programmers and hackers who notify it of any vulnerabilities.
"The first vendor bug bounty was Mozilla in 2004, but they really started to become popular after Google started theirs in 2010," Veracode CTO and chief information security officer Chris Wysopal told the E-Commerce Times. "So Microsoft is about three years late getting into the game."
Still, the scope of Microsoft's is a little different, BugCrowd CEO Casey Ellis noted.
'We've Benefited by Watching'
"Microsoft's bug bounty program covers products which are installed by consumers and enterprises 'within' their own environments," Ellis told the E-Commerce Times. "A bug in IE can be used to take over the system of anyone who runs that software and is vulnerable to that bug, and from there a lot of bad things can happen.
"There aren't many companies in Microsoft's position who are running bounty programs," Ellis added, noting that Facebook, for example, run its bug bounty program on systems and applications it hosts itself.
"The bounty and vulnerability landscapes have evolved in fascinating ways, and we've benefited by watching, learning from and talking with others who have developed and managed bounty programs," Dustin Childs, group manager for incident response communications within Microsoft's Trustworthy Computing Group, told the E-Commerce Times.
Indeed, "Microsoft held a strong 'we do not pay for bugs' position for quite a long time, and it could be said that they are late to the game in terms of engaging and incentivizing the broader security community, but the fact that they've reversed this and launched their own bug bounty program is fantastic," said Ellis.
Some bugs do get reported without a bounty program in place, Wysopal noted, but bounties can actually save a company money.
"If there's an issue in software, the bad guy is already looking for it," Ellis pointed out.
The hope is that the reward will encourage someone to report the vulnerability rather than use it to do harm.
"Bug bounty programs create the same financial motivations that already exist in the black hat community and get lots of different people with lots of different skill-sets and approaches looking at the target," Ellis explained. "In our experience they are incredibly effective -- both for coverage (i.e. finding all of the bugs) and depth (i.e. finding the bugs which are otherwise difficult to find)."
The black market in security bugs "is definitely part of the equation that helps set the price on bounties, but also the high cost of patching bugs that are found in the wild," said Wysopal. "It is a combination of the two that makes it good economics for vendors to have a bug bounty program."
'They Might Actually Hire You'
Hackers in the community, meanwhile, benefit as well.
"It's as much about status as it is anything else," Rob Enderle, principal analyst at Enderle Group, told the E-Commerce Times. "People compete to find the most bugs and get recognition."
In some cases, finding and reporting bugs can even turn into a job.
"For kids out of school who haven't found jobs yet," Enderle noted, "they might actually hire you."