Microsoft: Here's Why We Changed Our Mind And Created Bug Bounty Programs


For years, Microsoft refused to pay security researchers for submitting the vulnerabilities they found while testing Microsoft software. That changed last summer, when Microsoft launched three so-called bug bounty programs.

Why the change of heart? Katie Moussouris, senior security strategist lead at Microsoft, said the goal is to disrupt the black market for security bugs, as opposed to competing with it. Microsoft, Redmond, Wash., also wants to strike up relationships with new types of researchers, she said Thursday in a session at the RSA 2014 conference in San Francisco.

In 2010, more than 90 percent of bulletin-class vulnerabilities that researchers reported directly to Microsoft were done so for free. Instead of paying these people, Microsoft would credit them in its security bulletins. This recognition used to be a way for researchers to build valuable cachet in the security community.

[Related: Red Hat Reinvites Startup Piston Cloud To Conference, Waives Sponsorship Fee]

That all changed with the rise of the black market for security vulnerabilities, in which researchers can get up to $1 million for the bugs they find in vendors' software. And when the trend shifted to researchers reporting bugs to vulnerability brokers instead of to Microsoft, the software giant decided to adopt the bug bounty model, Moussouris said.

With its bug bounty programs, Microsoft now offers year-round compensation for researchers that generally sell their exploits on the white market. In so doing, Microsoft is shortening the usefulness and effectiveness of the black market, Moussouris said.

Andrew Plato, president of Anitian Enterprise Security, Beaverton, Ore., told CRN that while it's good Microsoft "finally accepted reality and started paying for bugs," it was also "very late" to embrace a model already widely used in the security market.

Peter Bybee, president and CEO of San Diego-based Security On-Demand, a managed security services provider, thinks that while the move is overdue, Microsoft deserves some credit for adopting the bug bounty model.

"It’s a good gesture to communicate to their user base that they are not as complacent as everyone assumes they are," Bybee said in an email. "We’ve all been living with Patch Tuesdays for years, and I think that everyone assumed that they would not take a more proactive stance."

Microsoft has paid $253,000 in bug bounties so far, including $100,000 earlier this month to a researcher who came up with new variants on existing attack techniques, Moussouris said, adding that this helps Microsoft improve its platform defenses.

In Microsoft's Mitigation Bypass Bounty program, researchers can get paid up to $100,000 for "truly novel exploitation techniques" against the protections built into Windows 8.1. They can get an additional $50,000 if they come up with a defensive technique for the exploit they've created.

In Microsoft's IE 11 Preview Bug Bounty program, researchers could get up to $11,000 for critical vulnerabilities in the IE 11 preview running on Windows 8.1.

Despite the change of heart on bug bounties, Microsoft's Security Development Lifecycle is still the best way for organizations to secure their software, Moussouris said. "You cannot penetration-test your way to security in your software," she said.

PUBLISHED FEB. 27 2014