Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000.
The bug bounty program is a remarkable shift for a company that has for the most part eschewed paying researchers for finding security vulnerabilities in its products. But unlike tech giants like Facebook, Google, Mozilla and Twitter — which have for some time now offered bounties ranging from a few hundred to several thousand dollars to researchers who report bugs in their products or Web properties — Microsoft is reserving its reward money for research on products that are still in beta.
The reward program — which officially launches June 26, 2013 — will pay up to $100,000 USD for “truly novel exploitation techniques” against protections built into the latest version of Windows — Windows 8.1 Preview. Additionally, Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying mitigation bypass submission,” the company said in a blog post today.
These two offers are open-ended, but for just 30 days beginning June 26, Microsoft is offering a separate bounty of up to $11,000 for critical flaws in Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview).
On Monday, I asked Mike Reavey, director of Microsoft’s Security Response Center, whether the company was concerned that restricting the offering to beta products might be perceived as a promotional gimmick for Windows 8, which has registered flagging sales and mixed reviews. Reavey said the research gleaned from the bug bounty program may well turn out to be useful in hardening older versions of Windows and IE, but in any case the company was focused on fixing big security issues before releasing these products for broader use.
“These are unique programs, because you don’t see white-market vulnerability brokers incentivizing research on products before they’re released,” Reavey said, referring to bug bounty programs run by companies like iDefense and HP Tipping Point, which pay researchers for critical bugs in third-party software and then work with vendors (including Microsoft) to help fix the problems.
Vulnerability researchers have long dug through beta versions of Microsoft products, only to sit on their findings until the product is officially released. That’s because vulnerability brokers don’t typically pay for bugs in beta versions of popular software. But by tying its offer of up to $11,000 to a 30-day preview window only, Microsoft removes the incentive for researchers to hold onto their findings, said Jeremiah Grossman, chief technology officer for WhiteHat Security Inc.
“When any IE preview edition comes out, researchers will start pounding on it looking for bugs, but since bug brokers don’t pay for preview vulnerabilities the researchers have to hold on to their bugs and hope that they’re still there when the product is finally released,” Grossman said. “Microsoft really is targeting that window of time with this offering.”
Charlie Miller, a former analyst at the National Security Agency and a security researcher who has found his share of bugs in big name software -most notably Apple’s products), applauded Microsoft for trying to fix flaws in software before most customers start using it.
“The whole industry has evolved over the past few years, so there’s now less of a focus on finding and fixing bugs and more of a focus on making exploitation of bugs more difficult,” said Miller, now a security engineer at Twitter. “Most people don’t care about software betas, and Microsoft is trying to change that, and I think that’s good. They’re trying to get the bugs worked out before the software is in most peoples’ hands.”