Microsoft Changes Bug Bounty Program to Include Incident Responders, Forensics Specialists

Microsoft is expanding its bug bounty program to open up payments of up to $100,000 to incident response teams and forensics experts who come across active attacks in the wild.

Having found some initial success with its first foray into the bug bounty world, Microsoft is expanding the program to open up payments of up to $100,000 to incident response teams and forensics experts who come across active attacks in the wild that include new techniques that bypass exploit mitigations in place on the newest version of Windows.

The change is designed to broaden the field of people who can submit new attack techniques to Microsoft, therefore helping the company further secure Windows. In order to qualify for the new program, organizations or individual contributors need to pre-register with Microsoft by sending an email to doa[at]microsoft[dot]com and then submit both a technical analysis of the new technique, as well as proof-of-concept code. Katie Moussouris, senior security strategist at Microsoft, said that the new addition to the bounty program also should allow organizations that are the victims of malware attacks to come forward with contributions.

“The reason we’re asking for proof-of-concept code is that a lot of people may be shy about sharing custom malware samples because there could be identifying information in there,” she said. “We’re interested in the technique. If they want to send us the sample, that’s fine too. We don’t see a lot of new attack techniques, because they’re really rare.”

The Microsoft bug bounty program is different from most vendors’ programs, as it pays out not for individual vulnerabilities but rather for new attack and defensive techniques. The company paid its first $100,000 bounty in October to researcher James Forshaw, who discovered a new technique for bypassing the Windows exploit mitigations. Moussouris said the addition of incident response teams and forensics specialists had been in the works for some time, but the company wanted to wait to announce it until after someone had collected a bounty.

But there’s also another motive for the new bounty: causing havoc in the vulnerability marketplace.

“We’re deliberately doing this to disrupt the existing vulnerability and exploit marketplace,” Moussouris said. “The black market pays much higher prices, but part of what they’re paying for is exclusivity and relying on the technique staying secret as long as possible. I want this to be an incentive for people to blow these ops.”

The idea is to reduce the amount of time that a new technique is useful for attackers, Moussouris said. And this isn’t the end of the changes to the bounty program, either.

“I have some other things up my sleeve,” Moussouris said.

Image from Flickr photos of Pascal.

Suggested articles