This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Increase in bug bounty payments predicted to boost patch releases

Share this article:

The quantity of patches released by Microsoft will rise this year and into the future after its decision to increase bug bounty payments.

Speaking to SC Magazine, Mark Raeburn, CEO of Context Information Security, said: “The increase in bug bounties will increase the number of patches as more people will be looking out for flaws and they will be looking to fix them.

“Microsoft is late in the day on this, but it is good. You can pay people to do it or allow anyone to do it and pay them afterwards, provided it is done in a managed environment.

Microsoft announced that it will pay up to $100,000 (£64,670) for 'truly novel exploitation techniques' against protections built into Windows 8.1 Preview, while it will pay up to $50,000 (£32,335) for defensive ideas that accompany a qualifying mitigation bypass submission.

Finally, it will pay up to $11,000 (£7,113) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows, although these must be submitted in the first 30 days of the Internet Explorer 11 beta period (between 26th June and 26th July 2013).

Craig Young, security researcher at Tripwire, said: “I think that the changes to the bounty program not only help researchers feel that their efforts are appreciated by Microsoft, but that it could over time actually reduce the number of patches as Microsoft's exploit mitigation techniques improve through increased scrutiny from white hat researchers.”

Paul Henry, security and forensic analyst at Lumension, said: “Since the announcement of the program took most security researchers by surprise, it will likely be a few months before we really see the effects of the program. That said, I do expect to see the number of bulletins Microsoft issues increase over the second half of this year.

“Microsoft has long resisted implementing a bug bounty program, which other vendors have found success with. The start of the program will likely increase the number of bulletins we see over time, but in the long run, will ensure that Microsoft products are more secure. It will also help motivate researchers to improve their disclosure with Microsoft over other sources that purchase vulnerabilities, which includes bad guys.

“This ensures Microsoft will be aware of vulnerabilities more quickly and we won't see as many bugs being exploited in the wild before Microsoft is ready to release a patch.”

Tyler Reguly, technical manager of security research and development at Tripwire, said: “I think that the platforms covered by the bounty program will limit the number of submissions. We may see additional patches, but I don't suspect we'll see vastly increased numbers.

“In the end though, while patches make the lives of those in IT more difficult, they improve security and make everyone safer.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.

SC Exclusive: Bank of England to appoint new CISO in January

SC Exclusive: Bank of England to appoint new ...

Bank of England Chief Information Security Officer (CISO) Don Randall is to leave his post in the New Year to take up an unspecified supervisory role, with William Brandon set ...

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...