Microsoft Reverses Course On Bug Bounties With Reward Program


Microsoft has said publicly for years that it would never offer a reward program to white hat hackers that find flaws in its software. The company reversed course on Wednesday, announcing a bug bounty program for serious coding errors found in its latest software.

The company announced that it would pay up to $100,000 for "truly novel" attacks that bypass defensive measures in the latest version of its operating system, Windows 8.1 Preview. The company will also pay out up to $11,000 for critical vulnerabilities that affect Internet Explorer 11 Preview. The browser must be exploited on systems running Windows 8.1 Preview, the software maker said.

In the past, Microsoft participated in hacking competitions in its outreach to security researchers, but the company decided that it didn't want to wait for another competition to learn about exploitation techniques, said Katie Moussouris, Microsoft's senior security strategist, in a blog post explaining the company's change in philosophy.

[Related: Top 10 Malware Threats To Microsoft PCs]

"Learning about mitigation bypasses on our latest platform, or 'holes in the shield,' helps us better protect against entire classes of attacks and can help us move the state of security in our products by leaps, rather than by small increments that a traditional bug bounty alone would," Moussouris wrote.

In addition, Microsoft said it was continuing to seek out innovative defensive technologies that it could build into its operating system.

The company would pay up to $50,000 for technologies that mitigate the techniques attackers use to bypass security restrictions. The goal is to make it more costly for cybercriminals to attack a victim's system, the software maker said.

The payments will be "direct cash payouts," Microsoft said in its announcement. The program will officially launch June 26.

Security experts praised Microsoft's decision to launch a bug bounty program. The change in philosophy could be indicative of the maturity Microsoft has in its software development processes and the confidence it has in the code base of its latest operating system, said Chris Camejo, director of consulting and professional services at Integralis, a Bloomfield, Conn.-based security services provider.

"They probably finally feel they have great [quality assurance] in place so that they are not going to be handing out major payouts all the time," Camejo told CRN, warning that Microsoft's older platforms and software will still capture attention from exploit writers. "There may not be a lot of motivation for a private researcher to look for stuff in Microsoft XP, but there is still plenty of motivation for the bad guys to look for vulnerabilities to exploit."

Camejo and others noted Microsoft's bug bounty rewards are significantly higher than other firms. Microsoft joins Google, which maintains a reward program for vulnerabilities submitted for Chrome and its Web applications. The Mountain View, Calif.-based search giant pays out between $500 and $1,333.70 for critical bugs submitted by security researchers. Critical flaws found in YouTube, Gmail and other Google services have payouts as high as $20,000 for the most dangerous discovered flaws.

Mozilla was first to launch a bug bounty program that rewards security researchers. Yahoo, Facebook and PayPal also run programs. Apple does not have a formal program to reward bug hunters with cash payouts.

Rather than paying for the cost of a vulnerability after an attacker exposes it, Microsoft, through its bug bounty program, is paying up front costs and, ultimately, providing a better user experience, Jeremiah Grossman, founder and CTO of WhiteHat Security, told CRN.

"They're paying relatively the same rate of what a researcher might expect to receive later, but [are making] the payment sooner, where it's easier for Microsoft to address and better for users," said Grossman, who called Microsoft's change in policy "significant."

Grossman said Microsoft is actually correcting a flaw in the bug market. Security researchers typically closely analyze preview versions of software for flaws, but they are forced to hold on to them because bug brokers, and previously Microsoft, do not pay for bugs in the preview products.

The program will likely move white hat researchers away from closely scrutinizing older software, but the change would have minimal impact on security, Grossman said. "If there's a limited amount of bug hunters, which of course there is, some of their energy will be diverted to IE11 preview instead of other older Microsoft software," he said.

In addition, bug hunters could still turn to vulnerability reward programs run by VeriSign and Hewlett-Packard. The VeriSign iDefense and the HP-TippingPoint Zero Day Initiative (ZDI) programs were designed to reward researchers for responsibly disclosing vulnerabilities and to give TippingPoint appliance users and VeriSign threat intelligence customers faster protection from threats.

PUBLISHED JUNE 19, 2013