Microsoft has expanded its bug bounty programs to allow more people to submit flaws and has announced it is willing to pay $100,000 for new mitigation bypass techniques.
In a statement, Katie Moussouris, senior security strategist at Microsoft Security Response Center, said that it is expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas, to include responders and forensic experts who find active attacks in the wild.
“Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organisations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000,” she said.
“In this new expansion of Microsoft’s bounty programs, organisations and individuals are eligible to submit proof of concept code and technical analysis of exploits they find in active use in the wild for our standard bounty amount of up to $100,000. Participants would also be eligible for up to $50,000 in addition if they also submit a qualifying defense idea. The submission criteria are similar – but the source may be different.”
Participants must be pre-registered and sign an agreement, and payment will be offered for rare new exploitation techniques before they are used and if they are currently being used in targeted attacks if the attack technique is new.
Moussouris also said that Microsoft are willing to pay $100,000 for rare new mitigation bypass techniques, saying that these are “much more valuable than learning about individual bugs because insight into exploit techniques can help us defend against entire classes of attack as opposed to a single bug”.
Commenting, Robert Hansen, technical evangelist at WhiteHat Security praised the new approach and said it could change the way the black hat market currently works.
He said: “Microsoft’s new program allows researchers, forensics experts and vulnerability brokers alike to give vulnerabilities to Microsoft regardless of whether they were the author of the vulnerability or not. If Microsoft hasn’t seen the vulnerabilities before, they will pay the disclosing party regardless of whether they were the ones to create the vulnerability or not.
“This gives incentives to any party who has been targeted with custom exploits to be paid for sending their exploits to Microsoft. This is good for Microsoft because it allows them to be a centralised vulnerability knowledge-base and gives a lot more incentive to researchers to disclose more vulnerabilities that they find in their inboxes, or on compromised machines.
“This is definitely a new approach to vulnerability disclosure programs, and I think it will make a lot of waves amongst the community who has, thus far, paid exclusively on attributable vulnerabilities. It could even somewhat disrupt some of the blackhat markets, by encouraging blackhats to buy or find each other’s vulnerabilities and sell them to Microsoft to reduce the competition. I just hope Microsoft is prepared for the onslaught of vulnerability reports they’ll be receiving.”
