Microsoft on Wednesday announced its first ever formal program to pay security researchers for finding software vulnerabilities in its newest products.
The bug bounty program will launch on June 26 and be formally unveiled at the upcoming Black Hat Briefings hacker conference in Las Vegas at the end of July. And, though late to the party, Microsoft is making up for lost time by going large. The Redmond, Washington software maker will pay researchers up to $100,000 for “truly novel” exploitation techniques that defeat protections built into the very latest version of Windows, 8.1 Preview. It will additionally pay $50,000 for ideas for defensive strategies that accompany a bypass, raising the total potential purse for an exploit and accompanying remediation to $150,000.
Additionally, Microsoft announced a short-term bounty program for its Internet Explorer 11 Preview, with the company paying up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows (Windows 8.1 Preview). Aspiring researchers can submit vulnerabilities between June 26 and July 26, 2013, the first month of the IE 11 Preview beta period.
In an official statement, Mike Reavey, the Senior Director of Microsoft Security Response Center (MSRC) said that the bounty programs are “researcher-focused” and geared towards learning of vulnerabilities as early as possible. The programs “will help to fill gaps in the current marketplace and enhance our relationships within this invaluable community, all while making our products more secure for our customers,” Reavey is quoted as saying.
Microsoft is a late-comer to the world of bug bounties. TippingPoint (now part of HP) launched the first such formal program in August, 2005. It has since been copied by countless large and small firms, including Google, The Mozilla Foundation, Facebook, Barracuda Networks, AT&T and others. As recently as 2010, the software giant steadfastly refused to consider monetary rewards in exchange for information about software vulnerabilities affecting its products, even while it actively courted the vulnerability researcher community at events like Black Hat.
Notably, the program also does not offer rewards for vulnerabilities in legacy Windows products such as Windows Vista, Windows 7 or production versions of Windows 8 or IE. That’s likely to rankle IT administrators, who must still defend those systems against attacks that use exploits in previously undiscovered (“zero day”) vulnerabilities in those platforms.
What the Microsoft program lacks in timeliness, it makes up for in size. The top award of $150,000 matches Google’s bounty for a web based exploit of a vulnerability in its Chrome browser that delivers “persistence” on the target machine. That reward was part of a $3.14 million package of prizes announced at the CanSecWest security conference in Vancouver in January.