June 19, 2013

Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000.

win8-1pThe bug bounty program is a remarkable shift for a company that has for the most part eschewed paying researchers for finding security vulnerabilities in its products. But unlike tech giants like Facebook, Google, Mozilla and Twitter — which have for some time now offered bounties ranging from a few hundred to several thousand dollars to researchers who report bugs in their products or Web properties — Microsoft is reserving its reward money for research on products that are still in beta.

The reward program — which officially launches June 26, 2013 — will pay up to $100,000 USD for “truly novel exploitation techniques” against protections built into the latest version of Windows  — Windows 8.1 Preview. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying mitigation bypass submission,” the company said in a blog post today.

These two offers are open-ended, but for just 30 days beginning June 26, Microsoft is offering a separate bounty of up to $11,000 for critical flaws in Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).

On Monday, I asked Mike Reavey, director of Microsoft’s Security Response Center, whether the company was concerned that restricting the offering to beta products might be perceived as a promotional gimmick for Windows 8, which has registered flagging sales and mixed reviews. Reavey said the research gleaned from the bug bounty program may well turn out to be useful in hardening older versions of Windows and IE, but in any case the company was focused on fixing big security issues before releasing these products for broader use.

“These are unique programs, because you don’t see white-market vulnerability brokers incentivizing research on products before they’re released,” Reavey said, referring to bug bounty programs run by companies like iDefense and HP Tipping Point, which pay researchers for critical bugs in third-party software and then work with vendors (including Microsoft) to help fix the problems.

Vulnerability researchers have long dug through beta versions of Microsoft products, only to sit on their findings until the product is officially released. That’s because vulnerability brokers don’t typically pay for bugs in beta versions of popular software. But by tying its offer of up to $11,000 to a 30-day preview window only, Microsoft removes the incentive for researchers to hold onto their findings, said Jeremiah Grossman, chief technology officer for WhiteHat Security Inc.

“When any IE preview edition comes out, researchers will start pounding on it looking for bugs, but since bug brokers don’t pay for preview vulnerabilities the researchers have to hold on to their bugs and hope that they’re still there when the product is finally released,” Grossman said. “Microsoft really is targeting that window of time with this offering.”

Charlie Miller, a former analyst at the National Security Agency and a security researcher who has found his share of bugs in big name software -most notably Apple’s products), applauded Microsoft for trying to fix flaws in software before most customers start using it.

“The whole industry has evolved over the past few years, so there’s now less of a focus on finding and fixing bugs and more of a focus on making exploitation of bugs more difficult,” said Miller, now a security engineer at Twitter. “Most people don’t care about software betas, and Microsoft is trying to change that, and I think that’s good. They’re trying to get the bugs worked out before the software is in most peoples’ hands.”

19 thoughts on “Microsoft to Offer Standing Bug Bounty

  1. Spacely

    So what, people come tell them about their problems, and its up to Microsoft trained monkeys to decide whats novel and whats not ? Seriously ?
    And why only for newer systems ?What about 2003 servers and xp ? They preffer me, as an exploiter, to rather use my techniques for my self and pound all the pos machines i can hack, rather than offering me something nice.

    1. jag


      And, so-called help that’s penned in tech gibberish.

      And, some program has stopped working. MS is checking for a solution, which in my thirty-years of driving PCs, no solution has ever been found.

    2. Andrew

      The first point of yours is an unavoidable part of selling secrets – the buyer doesn’t want to pay for something it already knows but the seller doesn’t want to show his cards before payment because the buyer will then know the secret regardless and is then less inclined to pay

      “And why only for newer systems ?What about 2003 servers and xp ?”

      $$$? Yes, there are plenty of legacy clients out there but I don’t think they are MS’ primary nor preferred source of income

  2. IA Eng

    This could be a way for a software company to drum up sales for their flagship software . In order to find the bugs, one should have a legal copy of the software.

    Look, there is a group of people out there who find bugs at a remarkable rate, and probably will not even bother with this program. These people will wait to reveal them at the next Black Hat conference and get more nods than cash, because they like the fame.

    Some of the flaws – which there can be many in one version of the software since the code has many, many lines of code, are worth their wieght in gold to the underground. A darkside researcher has the potential to pass this to the darkside for a LOT more cash than what any software company is willing to commit to the project.

    I can almost hear people say, well the software company is willing to change their way of doing business and is now offering something for the researchers time and effort. That is all good and well – But do you know what that means to me, as an Information Assurance Engineer? It means they have to rely on outside sources rather than internal talent. What does that mean? In my opinion, its all about the bottom line, sales and marketing.

    You pave a road, when small cracks start to show, you make a plan to repave that road. When large cracks become evident, its time to repave that road once again. The materials, procedures and methods will probably remain the same. I think it applies to most software as well. It has a basic skeletal shape that probably will never change – thats where any security researcher needs to dive into. The processes and use of some of the ways Microsoft software runs isn’t built everytime from scratch, and holes will be found.

    It reminds me of a roulette wheel, when needed it spins and the chance of finding bugs through fuzzing or other methods depends on how well the owner of the software uses a smoke and mirror tactic to cover an old way of doing business.

    RPC, Service Hosts, pipes, all of the old way of doing business is carried on, and on and on. Its like a soap opera, how much more of this way of thought in a security standpoint is secure?

    Windows 8.x is buggy as hell. I don’t trust it at all. I am building a Windows 7 box and plan to revert. There are some interesting NSA style features that are scary about Windows 8 and forensic analysis might be alot easier, but man, the instability isn’t for me.

  3. meh

    Since Windows 7 is still 45% of market share, seems like it would be more prudent to care about the one most at risk… Even Windows XP has 30 times the market share that Windows 8 has…

    1. Ron Murray

      Yep. Build an operating system that nobody wants to use, and nobody will use it. Perfect security.

      1. meh

        Well what I meant is gee how generous of them to offer rewards for one of the least used operating systems around – while ignoring the two that are vastly more common and far more important on a day to day basis.

        1. Ron Murray

          I was actually agreeing with you. Sorry if it appeared otherwise.

          1. meh

            Thanks, I’ve been pretty amazed lately by how tone-deaf microsoft has been in regard to Windows 8, Xbox, DRM, and many other missteps. I can’t tell if it is simply arrogance or ignorance but if they keep going the way they are, Android or Ubuntu will probably be on my next build, especially if steam and more games do a better job with OpenGL.

  4. The Utah Data Center/N.S.A.

    Instead of giving up to 100 grand as a bounty for finding Windows/I.E. exploits, Microsoft should invest that money into making Windows 8 GUI better

    1. meh

      They don’t even have to do that – they have this simple thing called “Add/Remove Components”, all they would have to do is let people strip it out completely and the problem is solved for 99% of users…. and they are so bent on creating their own app market that they will still let it tank rather than doing this.

  5. nsa

    I like the idea of companies doing things like this in order to further improve the security of their products. It also gets hackers with good intentions to work on their trade without having to feel guilty about selling their exploits on the grey market.

    I have to wonder though, if MS is willing to pay $150,000 what would the price be on the grey market from a government bidder? This is one downside to things like this, regardless of how much a company will pay people to discover exploits, criminals and or governments will pay a lot more.

  6. George

    I think its a good idea. A fresh pair of eyes is a good idea, though I do agree that they should look for bugs in all their version. You live from your past mistakes.

  7. Sean Elstins

    All companies that are serious need to have 3rd party security evaluations. When building security into any product, a second set of eyes are important to find the imperfections and vulnerabilities. The US government have been hiring hackers for over 20 years.

  8. Sjandra

    Brian, when you’re going topost an article about Snowden case, about breaking intoChinese networks via backbone switches etc? This stuff is very ontopic for your blog.

  9. Madmonkey

    I still think its a good idea to encourage researchers to find loopholes but as users have already said, letting Microsoft decide what is considered a ‘novel exploitation technique’ sounds like a way to get info on bugs and not have to pay them too! 🙂

    I’m sure there are tons of bugs in their new offerings, and lets not forget some of their ‘metro apps’ are basically web apps, which I’m sure the bad guys will be thrilled about. 🙁

  10. Mike

    I have to agree with Madmonkey, sounds like they are going to get free advice.

Comments are closed.