The threats and attacks may have changed in the last decade, but one thing has remained constant: software giant Microsoft doesn’t pay for vulnerabilities. Never has. Never will. Even as rivals like Mozilla and Google have introduced bug bounty program, the Redmond Washington giant has stuck doggedly with a position it articulated almost a decade ago, refusing to offer monetary rewards for information on software holes. But security experts say that position may have to change.
As the value of previously unknown (or “zero day”) software holes climbs, and targeted attacks using zero-day vulnerabilities make headlines, however, the company may be forced by circumstance to start paying vulnerability researchers for their work.
Signs of a make-over at Microsoft abound. In July, 2010, Microsoft announced changes to the way it would treat the problem of vulnerability disclosure. Rather than argue that there is a single way to responsibly disclose vulnerabilities in software, the company toned down its rhetoric: calling for coordinated disclosure between researchers and software companies. Then, in April, 2011, Microsoft released a much anticipated policy statement covering how its researchers will disclose software flaws. The company underscored that it would require researchers to work with vendors, with few exceptions, such as an unresponsive vendor or an unpatched vulnerability that is currently be exploited in the wild.
The new policy was meant to cover a wider range of security research from the company, beyond addressing holes in its many software products.
“Everyone understands the role of Microsoft as a vendor — we try to fix the issues that are reported to us — but we did not have anything public that defined our other roles in disclosure now that we have the MSRC program,” said Katie Moussouris, senior security strategist at Microsoft.
Researchers have generally welcomed the changes. Moving from “responsible disclosure” to “coordinated disclosure” breaks an unending circle of debate about Microsoft’s definition of what is “responsible.” However, those debates lack the force they once had in a world that is becoming less Windows-centric every day. If anything, Microsoft is losing the attention of the research community, says Marc Maiffret, chief technology officer for vulnerability management and assessment firm eEye Digital Security.
“These days, most people are selling zero-day,” Maiffret says. “Independent researchers don’t have any motivation in any way to work with Microsoft, because why give it to them for free when you can sell it for $80,000.”
Paying for software vulnerabilities was a radical idea back when firms like TippingPoint (then an independent software vendor) introduced its Zero Day Initiative in 2005. Almost six years later, the market for vulnerabilities is well established Today, most vulnerabilities sell to established programs for $5,000 or less, according to a recent survey. TippingPoint (now a division of Hewlett-Packard) buys vulnerabilities for thousands of dollars through its Zero-Day Initiative. Google and Mozilla pay bounties for vulnerabilities in their products as well. More recent entrants into the ranks of private firms that pay for information on security holes include firms like Barracuda Networks. The U.S. Government and intelligence agencies are also known to be reliable sources of money for high value vulnerabilities. But when asked about its own plans, Microsoft says it still fails to see the need to create its own program.
“We are always looking at the best ways to work with the researcher community,” Moussouris says. “In terms of a per-vulnerability bug bounty program, the analysis from us is that not the best way to invest in the security of our product.”
However, that calculus may start changing for Microsoft, say Maiffret and others. As attackers’ strategies mature, resulting in greater criminals rewards, exploitable vulnerabilities have become more valuable. Rather than putting up with the hassle and legal jeopardy of dealing with a software company to fix a vulnerability for free, researchers are more apt to look for a market for information on valuable vulnerabilities.
“It is work that very much has a value in the market,” Maiffret says. “And if Microsoft does want that work, or any technology company wants that work, they are going to have to pay for it at some point.”
Yet, competing with the gray vulnerability markets is a losing proposition, argues Moussouris.
“If you actually look at the public information out there as to the asking prices — what the highest bidders are paying, what the black market or government agencies are willing to pay — I don’t really sees how a vendor outbidding them solves that problem,” she says. “The really dark entities who are buying vulnerabilities will just raise their asking prices.”
Still, a bounty program has worked well for another large technology company: Google.
The search giant has found that its vulnerability programs — one for its Chromium Web framework that powers the Chrome browser and another for its Web applications and properties — have resulted in a sustained increase in the number of high-quality bug reports.
Finding better ways to discover and patch vulnerabilities should be a top priority for any software company, Chris Evans, a member of the Google Security Team, said in a written interview. Paying researchers for a bounty for bug means that a company is more likely to get information about vulnerabilities that may not be disclosed any other way, he says.
“Currently, there is a lot of overlap in bugs that are being discovered in software,” Evans says. “Therefore, if you have a bug bounty program that respects and rewards researchers, there’s a good chance that it will enable you to learn about some bugs that would have otherwise appeared in a zero-day attack.”
The company has paid out more than $350,000 between the two programs, offering up to $3,133.70 — “31337″ is hacker speak for “elite” — for critical issues found in its browser or in its Web applications. The Chromium reward program, which debuted in January 2010, resulted in triple the average number of submissions for many months, Evans says. The Google Web reward program did even better: After in November 2010 launch, Google saw a multi-month spike of five times its previous volume, with 85 percent of researchers submitting a bug to Google for the first time.
Should Microsoft implement a bug bounty program? Google’s Evans would not specifically offer the advice to the software giant, but did say, “I believe that any large software vendor … could produce safer software with such a program in place.”