Increase in bug bounty payments predicted to boost patch releases
The quantity of patches released by Microsoft will rise this year and into the future after its decision to increase bug bounty payments.
Speaking to SC Magazine, Mark Raeburn, CEO of Context Information Security, said: “The increase in bug bounties will increase the number of patches as more people will be looking out for flaws and they will be looking to fix them.
“Microsoft is late in the day on this, but it is good. You can pay people to do it or allow anyone to do it and pay them afterwards, provided it is done in a managed environment.
Microsoft announced that it will pay up to $100,000 (£64,670) for 'truly novel exploitation techniques' against protections built into Windows 8.1 Preview, while it will pay up to $50,000 (£32,335) for defensive ideas that accompany a qualifying mitigation bypass submission.
Finally, it will pay up to $11,000 (£7,113) for critical vulnerabilities that affect Internet Explorer 11 Preview on the latest version of Windows, although these must be submitted in the first 30 days of the Internet Explorer 11 beta period (between 26th June and 26th July 2013).
Craig Young, security researcher at Tripwire, said: “I think that the changes to the bounty program not only help researchers feel that their efforts are appreciated by Microsoft, but that it could over time actually reduce the number of patches as Microsoft's exploit mitigation techniques improve through increased scrutiny from white hat researchers.”
Paul Henry, security and forensic analyst at Lumension, said: “Since the announcement of the program took most security researchers by surprise, it will likely be a few months before we really see the effects of the program. That said, I do expect to see the number of bulletins Microsoft issues increase over the second half of this year.
“Microsoft has long resisted implementing a bug bounty program, which other vendors have found success with. The start of the program will likely increase the number of bulletins we see over time, but in the long run, will ensure that Microsoft products are more secure. It will also help motivate researchers to improve their disclosure with Microsoft over other sources that purchase vulnerabilities, which includes bad guys.
“This ensures Microsoft will be aware of vulnerabilities more quickly and we won't see as many bugs being exploited in the wild before Microsoft is ready to release a patch.”
Tyler Reguly, technical manager of security research and development at Tripwire, said: “I think that the platforms covered by the bounty program will limit the number of submissions. We may see additional patches, but I don't suspect we'll see vastly increased numbers.
“In the end though, while patches make the lives of those in IT more difficult, they improve security and make everyone safer.”