With bug bounties, Microsoft extends an olive branch to hacker community

Hackers can also net $100,000 for finding Windows 8.1 Preview vulnerabilities at Black Hat 2013 live bounty event

Extending an olive branch to the hacker community, Microsoft today announced three bug bounty programs through which the company will pay security researchers as much as $100,000 for sharing techniques for exploiting Windows 8.1 Preview and Internet Explorer 11 Preview, as well as viable ideas for general, broad system defense.

As part of the announcement, Microsoft will host a live Mitigation Bypass Bounty event at Black Hat USA 2013, where participants will attempt to hack the newest version of Windows in front of a judging committee. The winner will take home $100,000 and the accompanying laptop.

Microsoft now joins the ranks of companies such as Google, Barracuda, PayPal, and Facebook in offering bounties to researchers; according to Black Hat General Manager Trey Ford, it's a welcome and necessary change. "Black Hat advocates improving conversations around security. We laugh about how 'the age of innocence has passed.' The days of a legal gag order for researchers trying to innocently advise a software company of a vulnerability have long since passed," he told InfoWorld.

Katie Moussouris, senior security strategist at Microsoft, said the program is part of the company's ongoing effort to deepen its relationship with the security-research community -- a relationship that hasn't always been cordial. "In the early 2000s, Microsoft had to go through what I call 'the five stages of vulnerability response grief,'" she wrote. "This is a process that all vendors must invariably go through in order to reach the 'Acceptance Stage,' which includes working in a collaborative way, with security researchers and good old-fashioned hackers.

"We may not always have 100 percent philosophical alignment, but we always want to keep a dialog open with the research community to further the common goal of protecting customers," she wrote.

Microsoft's bounty programs break down as follows:

  • Through the Mitigation Bypass Bounty program, the company will pay up to $100,000 "for truly novel exploitation techniques" against protections in Windows 8.1 Preview. "Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest," according to the company
  • Through the BlueHat Bonus for Defense program, Microsoft will pay up to $50,000 "for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. "Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered," according to the program's description.
  • Finally, through the IE11 Preview Bug Bounty program, Microsoft will pay up to $11,000 for critical vulnerabilities that affect IE11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE11 Preview period.

These types of bug bounty programs not only represent a way for security researchers to earn cash and fame for their efforts, they can also save money for the companies paying the bounties -- particularly those with as broad a reach as Microsoft. "Microsoft operating systems power more of the world than most people probably realize. Planes, trains, automobiles, food you order, power grids, weather measurement systems, hospital systems -- all kinds of things are affected by Microsoft software," he said. "The cost of fixing a vulnerability is massively higher when the product is in use by the rest of the world."

Ford urged other companies to follow Microsoft's lead in launching similar programs. "[They] make it safe(r) for research like this to be done and provides a positive construct to have a conversation on vulnerabilities with those with a program," he said.

In the context of the Computer Fraud and Abuse Act, Ford said that Microsoft's move "could also serve as a message to global legislators [as to] how valuable this kind of work and the conversation around vulnerabilities can be -- and about how the law is out of sync with how the world operates."

This article, "With bug bounties, Microsoft extends an olive branch to hacker community," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies