Microsoft has taken the fight to hackers who target Windows and Windows-based apps by encouraging them to shop each other for rewards of up to US$ 150,000.
And the company has been warned to prepare for “an onslaught of vulnerability reports” as its new scheme pays generously for information about any new attack techniques aimed at its software.
Previously, Microsoft offered up to US$ 100,000 to a handful of experts who research exposed new ways to seriously breach its products – most notably the UK's James Forshaw of Context Information Security, who last month received the first-ever US$ 100,000 bounty for discovering a major Windows vulnerability.
Talking to SC Magazine UK about the new offer, Forshaw praised the scheme's aggressive intent, commenting, “I don't believe there is any other programme in place which is so focused on disrupting the black and grey market for offensive exploitation techniques.” In contrast, Forshaw noted how, “Most other bounty programmes are internally focused on fixing bugs or provide vendors with early access to vulnerabilities for offensive or defensive purposes.”
Microsoft's expanded scheme is now open to anyone who finds ‘active attacks in the wild', including hackers, incident response teams and forensic experts.
This will mean thousands of individuals or organisations can report new exploits for a prize of up to US$ 100,000. And if they submit “a qualifying defence idea” which shows Microsoft how to defeat the attack, they will get an extra US$ 50,000.
Microsoft will pay even if the person reporting the vulnerability is the actual author. But it will also reward innocent end-users who are victims of new forms of attack.
The scheme is good news for users who are likely to find fewer vulnerabilities last so long in the wild before they are patched. And Microsoft may even close down new exploitation techniques before they are used.
Microsoft senior security strategist, Katie Moussouris, said in a blog post that the scheme is explicitly aimed at disrupting the vulnerability and exploit markets. Microsoft wants to get major bugs out of the market, she said, “before they are widely traded in grey or black markets and subsequently used to attack customers”.
“We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used,” says Moussouris, adding, “… but we'll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive.”
The top rewards will only be paid for platform-wide exploit techniques that help defend against entire classes of attack as opposed to a single bug said Moussouris.
Forshaw described the main change as being the wider range of information security professionals now eligible to participate, including incident responders and malware researchers “to prioritise extracting any new exploitation techniques”.
“It should make it more difficult for truly novel techniques to stay secret, working towards the goal of increasing an attacker's resource cost while reducing their window of opportunity to maximise its value. I am confident that this isn't an accidental by-product of the programme,” says Forshaw.
The scheme is forecast to lead to an “onslaught” of attack reports according to Robert Hansen, technical evangelist at WhiteHat Security, who told SC Magazine UK that he also agreed that Microsoft's new approach could change the way the “black hat market” currently works.
“If Microsoft hasn't seen the vulnerabilities before, they will pay the disclosing party regardless of whether they were the ones to create the vulnerability or not. This is definitely a new approach to vulnerability disclosure programmes,” says Hansen, adding, “I think it will make a lot of waves amongst the community who has, thus far, paid exclusively on attributable vulnerabilities.
“It could even somewhat disrupt some of the black hat markets, by encouraging black hats to buy or find each other's vulnerabilities and sell them to Microsoft to reduce the competition. I just hope Microsoft is prepared for the onslaught of vulnerability reports they'll be receiving."
The stakes are high for Microsoft in reducing bugs, as Windows has around 1.25 billion users worldwide. Its regular ‘Patch Tuesday', when it fixes bugs in its products, has also become a very visible demonstration that major vulnerabilities exist and are being exploited.