After years of saying that the company didn’t need a bug bounty program, Microsoft is starting one. The company today will announce the start of a new program that will pay security researchers up to $100,000 for serious vulnerabilities and as much as $50,000 for new defensive techniques that help protect against those flaws.
Microsoft’s new program has several discrete pieces and it differs significantly from the existing reward programs run by companies such as Google, Barracuda, PayPal and Facebook. Those companies offer rewards for researchers who report vulnerabilities in specific products or Web properties, typically paying bounties in the range of several hundred dollars to several thousand dollars. Google will pay much higher rewards for especially serious vulnerabilities in Chrome, sometimes as much as $50,000 or more.
Microsoft security officials say that the program has been a long time in development, and the factor that made this the right time to launch is the recent rise of vulnerability brokers. Up until quite recently, most of the researchers who found bugs in Microsoft products reported them directly to the company. That’s no longer the case.
“That has shifted now because they’re going through brokers. I’ve been working on this for a while and this is the first time the research told us that the majority of people were going through brokers,” said Katie Moussouris, senior security strategist at Microsoft. “If we can find these holes as early as possible, we can protect against whole classes of attack. We don’t want to wait for a third party.”
The system that Microsoft is kicking off on June 26 will pay researchers $100,000 for a new exploit technique that is capable of bypassing the latest existing mitigations in the newest version of Windows. The submission can use existing exploitation techniques, but also has to include a new tactic that can bypass the exploit mitigations that Microsoft has built into Windows in recent years, including DEP, ASLR, /GS, SEHOP and SafeSEH. Microsoft is setting a pretty high bar for these submissions, but company officials say their experience with the BlueHat Prize contest, which rewarded researchers for new defensive techniques, shows that people will participate.
Unlike the company’s BlueHat contest, which awarded $200,000 to a researcher who developed a new technique for defending against ROP attacks, this new bounty is available to multiple researchers. It’s an ongoing program that will pay as many researchers as submit qualifying bypasses. The program will apply to the latest publicly available version of Windows, beginning with 8.1.
In addition to the mitigation bypass bounty, Microsoft also is offering two other rewards. The first is a potential $50,000 bounty called the BlueHat Bonus, which will be available to researchers who develop a defensive technology that can stop an existing mitigation bypass technique. These submissions have to include a technical white paper. The other available rewards is for new attacks on Internet Explorer 11, which currently is in preview. For that reward, which is up to $11,000, a researcher needs to submit a critical severity bug in IE 11 running on Windows 8.1 Preview. That program only runs through July 26.
Moussouris said that as Microsoft looked at the way the research and vulnerability reporting climate was changing, they saw that researchers increasingly were going through brokers. Microsoft also discovered that researchers were holding on to new bugs until the affected product had been released because brokers won’t buy vulnerabilities in beta releases in most cases.
“As we looked at the evolving landscape, we realized we could address this gap, and encourage the research community to work with us,” she said.
Security researchers have been pressuring Microsoft for years to start a program like this, especially once other large vendors such as Google entered the scene.
“I predicted Microsoft would follow Google and Mozilla with a bug bounty program in 2011 so yes I think it is a long time coming. I like the idea of a high bounty for important research that can improve security across many products,” said Chris Wysopal, CTO at Veracode. “Mitigation bypasses are very valuable on the open market as you could create get many zero days to be exploitable with these techniques. Microsoft is clearly trying to steer that research to them so they can make defensive improvements.
“The beta period bug bounty should incent researchers to disclose bugs when they can best be fixed. This should pay for itself as it would cost much more than the bounty to fix these in a patch. They should do this for all their beta products.”
Moussouris said Microsoft will have some of the people who will judge the mitigation bypass entries on site at Black Hat next month and they will be inviting researchers to demonstrate their submissions live. Whether the company decides to extend the bounty program to other products or perhaps offer a per-vulnerability bounty as other vendors do, remains to be seen.
“I think there’s enough juice in this program to get [researchers] competing for a while,” Moussouris said.