Incident Response, TDR, Vulnerability Management

Microsoft’s new bug bounty program offers up to $11k in incentives

Microsoft, which has long kept the roll-out of a “bug bounty program” at bay, finally introduced monetary incentives for researchers who report vulnerabilities in its software.

On Wednesday, the tech giant announced the details of a program that would pay bug hunters up to $11,000 for discovering critical vulnerabilities in its Internet Explorer 11 and Windows 8.1 preview software.

In addition, Microsoft also revealed two more initiatives, the “Mitigation Bypass Bounty” and “BlueHat Bonus for Defense” programs, that would, respectively, pay researchers up to $100,000 for disclosing “truly novel” ways of exploiting its Window 8.1 preview software (released later this month), and further rouse them with up to $50,000 for “defensive ideas” or technologies that could help the company avoid such exploits.

The three programs will officially launch next Wednesday, according to a post at Microsoft's Security Response Center website.

On Wednesday, Trey Ford, the general manager for Black Hat, the annual security conference in Las Vegas that features discussions, training and live hacking demonstrations, told that Microsoft eventually followed the lead of other major companies with bug bounty programs, like Google and Facebook, highlights how the company has had to evolve with the times.

According to Ford, the program shows an evolution in Microsoft's way of thinking – and one that didn't happen overnight.

Just last year, Microsoft appeared to test the waters when it introduced The BlueHat Prize contest, which rewarded up to $200,000 for valued exploit mitigation techniques. The winners of the contest were announced at Black Hat 2012. But the new bug bounty program marks the company's first permanent effort to pay researchers explicitly for vulnerabilities.

“This has probably been in the works over the last three years,” Ford said. “The cost [of] patching and the value of getting this information earlier from researchers has to be massive.”  

Given the underground exploit markets' prowess in selling zero-day threats for major bucks, Microsoft's bounty program will allow a “more constructive conversation with the research community,” since more than a pat on the back will be offered for their efforts, Ford explained.

Over the years, researchers have voiced their frustration with vendors' unwillingness to pay researchers for their help in curbing threats. Back in 2009, researchers Dino Dai Zovi, Alex Sotirov and Charlie Miller memorably heralded a “No More Free Bugs” campaign.

In a Wednesday blog post, Robert Graham, CEO of Errata Security, further expounded on the point that Microsoft's roll out of bug bounty incentives was something it could no longer avoid in today's exploit market.

“Instead of pimping your [vulnerability] for fame, you can now sell it to an interested party, such as Russian organized crime, Chinese spies, or the NSA cyber warriors,” Graham wrote. “The right bug, to the right customer, at the right time, can be worth $1 million. Even crappy bugs can be worth $10,000. That means Microsoft can no longer count on people disclosing bugs to them – they have bid against the Russians, Chinese, and Americans,” he wrote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.