Weeks after launching its first, formal bug bounty program, Microsoft is set to issue its first monetary reward, according to a blog post by Katie Moussouris, the Senior Security Strategist at Microsoft’s Security Response Center (MSRC).
Writing on Wednesday, Moussouris said that the company has received “over a dozen” submissions since it launched the paid bounty program on June 26, and that “I personally notified the very first bounty recipient via email today that his submission for the Internet Explorer 11 Preview Bug Bounty is confirmed and validated. (Translation: He’s getting paid.)”
Last month, Microsoft announced its new policy to pay for information about serious vulnerabilities in its products. The company had long maintained that it provided other kinds of rewards for information on software holes – mostly recognition and jobs – and didn’t need to offer bounties, as firms like Google, The Mozilla Foundation and Facebook do.
In launching the new program, Microsoft said it will pay researchers up to $100,000 for “truly novel” exploitation techniques that defeat protections built into the very latest version of Windows, 8.1 Preview. It will additionally pay $50,000 for ideas for defensive strategies that accompany a bypass, raising the total potential purse for an exploit and accompanying remediation to $150,000. For IE 11 Preview, Microsoft introduced a short-term bounty program of up to $11,000 USD for critical vulnerabilities that affect Internet Explorer 11 running on the latest version of Windows (Windows 8.1 Preview).
Writing on Wednesday, Moussouris said that the bounty program has already garnered Redmond more vulnerability reports and earlier in the release cycle than the company would have previously. The company has also received reports from researchers who were not frequent contributors in the past. Both were stated goals of the bounty program, she said.
As for competing against the cyber underground and other “black” and “gray market” buyers, Moussouris said that it was never Microsoft’s intention to find itself in bidding wars with criminal groups.
While the black market will always pay top dollar for critical security vulnerabilities against widely used platforms like Windows and IE, Microsoft can beat cyber criminal groups to the market for bugs by offering respectable bounties much earlier in the release cycle -during the beta or preview stage, before products have been widely adopted (and, thus, have caught the attention of cyber criminals).
“It’s not about offering the most money, but rather about putting attractive bounties out at times where there are few buyers (if any),” she wrote. “Trying to be the highest bidder is a checkers move, and we’re playing chess.”
Moussouris said that there are more announcements pending, both on bounties to be paid for reported vulnerabilities and “industry collaboration to help protect customers.” Most likely those will come in a couple weeks at the Black Hat Briefings hacker conference in Las Vegas. Stay tuned!
Empirical data seems to back up Moussouris’s contention that bounty programs work. A recent study suggests that crowd-sourced vulnerability research, of the kind that bounty programs encourage, is much more cost-effective for firms like Microsoft, than hiring full time staff to look for security holes. A study by researchers at The Univeristy of California, Berkeley found that bounty programs are between 2- and 100 times more cost effective in finding serious security holes compared with in-house research, according to the report.