Microsoft boosts bug bounty programme rewards
Bonanza for bug hunters? After Windows 10, it's time to clean up
Microsoft boosts bug bounty programme rewards
Microsoft has of course now completed the initial launch of its Windows 10 operating system. With this plateau now conquered, the firm is using this immediate period of aftermath to clean up any areas where buggy imperfections might be still lurking.
The recharged Microsoft Bounty for Defense programme will now offer almost £65,000 (US$ 100K) as a direct payment to any individual that has helped reinforce the firm's defence systems and related technologies.
Specifically, Microsoft will pay up to US$ 100,000 for insight into what it calls ‘truly novel exploitation techniques' that can be used to act against protections built into the latest version of its operating system.
Leaps and bug hops
According to Microsoft, the firm is making a concerted effort to try and learn about new exploitation techniques earlier. This approach helps Microsoft improve security ‘by leaps' it says, instead of capturing one vulnerability at a time - as a traditional bug bounty alone might typically achieve.
“Our new bounty programmes add expanded depth and flexibility to our existing community outreach programmes. Having these bounty programmes provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers,” said Microsoft, in a statement on its own TechNet technical engineering resources and tools site.
Back in November 2013, Microsoft initiated the Mitigation Bypass Bounty and the Bounty for Defense. It continued expanding its bounty programmes and in September 2014 announced the Online Services Bug Bounty programme.
This news has broken in line with the Black Hat conference, which is held in Las Vegas this August. Speaking at the event was Jason Shirk in his role as security architect at Microsoft.
Shirk blogged late last week as follows, “These additions to the Microsoft Bounty Programme will be part of the rigorous security programmes at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL),Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.”
A wider perspective on the news
Microsoft is fundamentally placing more emphasis on combating authentication security flaws with these moves.
Antoine Feriaux, enterprise solutions consultant for EMEA at Accellion has said that the advent of Windows 10 tackles several inherent security and operational issues that have blighted the platform for some time.
“Application vetting and biometric authentication – including facial recognition - are the main new security features at the centre of Windows 10, representing a major shift from Windows 8 which centred on the implementation of touch and the Metro user interface technology,” said Feriaux, speaking to SCMagazineUK.com today.
Feriaux's comments resonate with the wider efforts being made here to tackle security vulnerabilities with the firm's browser in mind. “Even though the last iteration of Microsoft's legacy Explorer web browser was a major overhaul of the IE code base it was marred by a poor reputation for security, performance and usability, perhaps unfairly inherited from previous versions,” added Feriaux.
Microsoft's own Shirk says that it has been great to see the reaction from the research community to the Microsoft Edge Bug Bounty, and the Azure addition to the Online Services Bug Bounty Programme.
An open approach
David Flower, managing director for Bit9 + Carbon Black also spoke to SCMagazineUK.com today saying that there are huge changes happening in the cyber-security industry that are largely being driven by openness and integration.
“No single provider can sufficiently protect organisations from every threat vector – whether commodity malware or specific threat actor groups – via a single source of threat intelligence. Programmes such as these will hopefully help with the drive for more intelligence sharing which can only be a good thing,” said Flower.
These anti-exploitation efforts have surfaced at the same time as the first Windows 10 ‘Service Release 1' fixes, which it must be stressed are essentially not security-related updates.
“Hopefully this move will encourage new researchers into the industry, rather than just focusing the limited pool of hackers that are looking to make major money in the bug hunting business on Microsoft.”