Microsoft’s Bug Bounty Program and the Law of Unintended Consequences

The Microsoft bug bounty program has been nearly a decade in the making and it is clear from the shape and size of it that the company did not simply slap the program together in order to join the cool kids. Microsoft’s security team spent years watching the way other programs work, seeing what incentives attract good researchers and looking for a system that made sense for Microsoft’s specific goals.

The Microsoft bug bounty program has been nearly a decade in the making and it is clear from the shape and size of it that the company did not simply slap the program together in order to join the cool kids. Rather, Microsoft’s security team spent years watching the way other programs work, seeing what incentives attract good researchers and looking for a system that made sense for Microsoft’s specific goals. The result is a well thought-out reward system that likely will reward good research while making customers safer at the same time. But the program may also create some unintended consequences and ripples in the security world.

In order to understand what Microsoft is doing and why the company waited so long to begin offering rewards to security researchers, you have to widen your focus and have a look at what’s been happening recently. Bug bounty programs have been around for the better part of a decade now and in that time they have evolved to reflect the changing times. Some of the older ones began with relatively low rewards, in the neighborhood of $500 or $1,000 for serious vulnerabilities. When these programs launched, they were essentially the only option for most researchers looking to make some money from their work. Unless you worked for a company who paid you to do vulnerability research, submitting a bug to Mozilla or Google was likely your only path to some sort of remuneration.

Some well-connected security researchers have always had other options, however. There has been a market for vulnerabilities for a long time, but it was the digital equivalent of a speakeasy. If you didn’t know who to ask or where to go, you were out of luck. The researchers who knew which door to knock on, though, could make it pay. There was real money available from a few select sources. But it was still a relatively small group of buyers and sellers.

As security research became more mainstream in the last 10 years or so, that dynamic has changed. Researchers who once did the work out of a sense of intellectual curiosity began to realize that they could make a good living from what may have been a sideline. They began pressuring vendors to cough up money for bug reports–and many did. In addition to Mozilla and Google, there is a long list of technology and Web companies who now offer some sort of reward for vulnerability research, including Facebook, PayPal, Barracuda, Samsung and others. The no more free bugs movement paid off.

But the two biggest fish–Microsoft and Apple–had refused the bait. Microsoft officials have always said that they had no reason to offer incentives to researchers because the vast majority of them reported bugs directly to the company. But the last couple of years have seen a major increase in the number of researchers going through third-party brokers, companies that buy vulnerability information and then report it to the vendor later. Microsoft was seeing fewer and fewer direct vulnerability reports, and that was worrisome. It meant a longer lag time between the discovery of a bug and the release of a patch, which could be trouble for customers.

So Microsoft shifted gears and came up with not just any bug bounty program, but one that offers $100,000 for a technique that can bypass the various exploit mitigation technologies in Windows. Developing a technique like that can be a huge amount of work, something that Microsoft officials know, so they tacked up a wanted poster with a serious reward. A $100,000 payment for a new exploit technique is no joke, but the problem is that even that may not be enough.

The rise of third-party brokers and the competition among governments and defense companies to buy vulnerabilities has made them much more valuable. Researchers now have multiple options where once they were severely limited. And an exploit that can bypass the best mitigations in the newest version of Windows is among the more valuable commodities one can have in this day and age. Unfortunately for Microsoft and its customers, that exploit likely is worth quite a bit more than $100,000.

“The backdrop to any bug bounty program is the zero day vulnerability market where researchers sell to governments and potentially anyone with cash instead of informing the vendor, bounty or not. The growth of this market and its potential to grow more is part of the equation any vendor uses to decide whether or not to have a bounty program and what to set bounty values at,” Chris Wysopal, CTO at Veracode and a veteran of the research community, wrote of Microsoft’s new bounty program.

Until yesterday, a researcher who developed that kind of exploit would have had a few options. One, report it directly to Microsoft, wait for the bulletin to come out a few months later and enjoy seeing his name in the acknowledgements section. Two, sell it to one of the brokers for a a few thousand dollars. Or three, sell it on the open market for whatever price he could get. Now, that same researcher knows that has has a guaranteed buyer for the exploit (assuming he meets the reward criteria) and can use that as leverage to drive up the price with private buyers.

“From what I’ve seen, a comparable exploit to what Microsoft is paying might go for as much as $250,000 or more in some cases. The economics are complicated though, because good code execution vulnerabilities appear to have a lot of buyers. It’s assumed that many governments wouldn’t flinch at dropping that kind of money if they had the need for it, or interest in removing it from the hands of a potential adversary,” said Robert Hansen, a longtime security researcher and director of product management at WhiteHat Security.

Many, if not most, of the buyers on the private market are paying for vulnerabilities not to fix them but in order to use them against specific targets. Governments and defense contractors are the main market here, and they have little to no interest in seeing these bugs killed. These customers want their bugs to enjoy long, productive lives and to be available for duty whenever needed. The researchers who have the skill to develop the kind of mitigation bypass that Microsoft is interested in know this and they also know the value of their work. An eager, experienced buyer will know these things as well, and also will know that if he passes on the chance to buy the exploit, it may go to a competitor or, worse yet from his perspective, Microsoft, who will then develop a defense for it. Dead bugs are of no use to anyone.

“The Windows bypass bounty of $100K is a brilliant idea however finding such bypass techniques in Windows 8.1 is expensive and requires higher technical skills than simply finding an IE use-after-free with automated fuzzing, thus I do not expect too many submissions from researchers except from those not really having 0day buyers. At the same time, this $100K amount will be a minimum base market price for Windows 8.1 zero-day exploits, and government agencies will have to pay much more to beat Microsoft and get such weaponized exploits,” said Chaouki Bekrar, CEO of VUPEN, a French firm that develops and sells exploits to government customers.

For years, there have been a slew of researchers wanting to sell bugs to Microsoft, but Redmond wasn’t interested. Now what may be on the horizon is a situation in which Microsoft is holding a bag of money and there are no researchers willing to take it.

 

Suggested articles