Microsoft boosts bug bounty programme rewards

News by Adrian Bridgwater

Bonanza for bug hunters? After Windows 10, it's time to clean up

Microsoft has of course now completed the initial launch of its Windows 10 operating system. With this plateau now conquered, the firm is using this immediate period of aftermath to clean up any areas where buggy imperfections might be still lurking.

The recharged Microsoft Bounty for Defense programme will now offer almost £65,000 (US$ 100K) as a direct payment to any individual that has helped reinforce the firm's defence systems and related technologies.

Specifically, Microsoft will pay up to US$ 100,000 for insight into what it calls ‘truly novel exploitation techniques' that can be used to act against protections built into the latest version of its operating system.

Leaps and bug hops

According to Microsoft, the firm is making a concerted effort to try and learn about new exploitation techniques earlier. This approach helps Microsoft improve security ‘by leaps' it says, instead of capturing one vulnerability at a time - as a traditional bug bounty alone might typically achieve.

“Our new bounty programmes add expanded depth and flexibility to our existing community outreach programmes. Having these bounty programmes provides a way to harness the collective intelligence and capabilities of security researchers to help further protect customers,” said Microsoft, in a statement on its own TechNet technical engineering resources and tools site.

Back in November 2013, Microsoft initiated the Mitigation Bypass Bounty and the Bounty for Defense. It continued expanding its bounty programmes and in September 2014 announced the Online Services Bug Bounty programme.

This news has broken in line with the Black Hat conference, which is held in Las Vegas this August. Speaking at the event was Jason Shirk in his role as security architect at Microsoft.

Shirk blogged late last week as follows, “These additions to the Microsoft Bounty Programme will be part of the rigorous security programmes at Microsoft. Bounties will be worked alongside the Security Development Lifecycle (SDL),Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits.”

A wider perspective on the news

Microsoft is fundamentally placing more emphasis on combating authentication security flaws with these moves.

Antoine Feriaux, enterprise solutions consultant for EMEA at Accellion has said that the advent of Windows 10 tackles several inherent security and operational issues that have blighted the platform for some time.

“Application vetting and biometric authentication – including facial recognition - are the main new security features at the centre of Windows 10, representing a major shift from Windows 8 which centred on the implementation of touch and the Metro user interface technology,” said Feriaux, speaking to today.

Feriaux's comments resonate with the wider efforts being made here to tackle security vulnerabilities with the firm's browser in mind. “Even though the last iteration of Microsoft's legacy Explorer web browser was a major overhaul of the IE code base it was marred by a poor reputation for security, performance and usability, perhaps unfairly inherited from previous versions,” added Feriaux.

Microsoft's own Shirk says that it has been great to see the reaction from the research community to the Microsoft Edge Bug Bounty, and the Azure addition to the Online Services Bug Bounty Programme.

An open approach

David Flower, managing director for Bit9 + Carbon Black also spoke to today saying that there are huge changes happening in the cyber-security industry that are largely being driven by openness and integration.

“No single provider can sufficiently protect organisations from every threat vector – whether commodity malware or specific threat actor groups – via a single source of threat intelligence. Programmes such as these will hopefully help with the drive for more intelligence sharing which can only be a good thing,” said Flower.

These anti-exploitation efforts have surfaced at the same time as the first Windows 10 ‘Service Release 1' fixes, which it must be stressed are essentially not security-related updates.

In an email to SC, Gavin Millard, technical director at Tenable Network Security adds: "With the value of a working remote code execution or privilege escalation zero day vulnerability demanding a premium on the black market, the increase in payouts for bugs affecting Microsoft's flagship products is a welcome policy change. The more researchers motivated to identify issues on a platform, especially one as broadly used as Microsoft's operating systems, the better. One possible unintended detrimental outcome though, is that the chance of earning US$100,000 for a Microsoft vulnerability could encourage researchers away from looking at other outdated and overused code which, as we've seen with Heartbleed and Shellshock, can have some massive bugs that go undiscovered for years.

“Hopefully this move will encourage new researchers into the industry, rather than just focusing the limited pool of hackers that are looking to make major money in the bug hunting business on Microsoft.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews