PUNTA CANA–The Microsoft bug bounty program, started last year as a way to encourage researchers to develop new offensive and defensive techniques, has been a success so far and the company is looking for new ways to expand it in the future. Katie Moussouris, the security strategist at Microsoft responsible for the program’s creation, said that while rewarding researchers for innovative work was a key goal, causing some turbulence in the vulnerability market was also part of the plan.
Moussouris had been working on the bounty program for some time before she was able to launch it last year, and she had paid close attention to the way that not just other bounty programs work, but also how the legitimate vulnerability market operates. Vulnerability buyers and sellers for years have operated mainly underground, but that has changed in the last couple of years as companies such as VUPEN and others have made bug sales into a booming business. Microsoft’s products always are at the top of the list for both attackers and security researchers, and Moussouris wanted to find a way to get valuable offensive techniques in Microsoft’s hands rather than in the hands of vulnerability brokers or attackers.
“We’re never going to outbid the black market. This is about using existing levers to disrupt the vulnerability economy,” Moussouris said in a talk at the Kaspersky Security Analyst Summit here Monday.
Security researchers who once had limited options for making money from their vulnerability work now have a broad spectrum of choices. Depending on their contacts and other factors, researchers can sell bugs to any number of government agencies, defense contractors or third parties. Bug bounty programs provide another option, but they’re typically far less lucrative. Microsoft wanted to make that option more attractive by offering bounties of up to $100,000 for novel offensive techniques that can bypass the exploit mitigations in the latest version of Windows. The company already has paid one bounty and recently expanded the field of eligible participants to include forensics teams and incident responders.
There are more potential additions to the Microsoft bounty program, Moussouris hinted during her talk, but did not provide any new details.
Moussouris said that the pool of researchers capable of finding qualifying bypass techniques is relatively small, and the subset of that group who are willing to submit them to Microsoft is even smaller.
“There are probably only a thousand people worldwide who could do this kind of work,” she said, “And there’s probably only a few hundred who would work with Microsoft.”
There has been quite a lot of discussion in the security industry about exploit sales and potential regulation of the market. But Moussouris says she thinks that would be a mistake.
“I tell governments that I don’t them to regulate exploits because you’ll blind me,” she said. “You’ll make it so the only way I can find out about new attacks is when they hit customers.”
