Microsoft has announced that it will give security researchers cash rewards for devising novel software exploitation techniques, creating new exploit mitigation systems, and finding bugs in the beta of Internet Explorer 11 when it’s released later this month. Bug bounty programs, where security researchers receive a cash reward from software vendors for disclosing exploitable flaws in those vendors’ software, have become an important part of the computer security landscape. Finding flaws and working out ways to exploit them can be a difficult and time-consuming process. Moreover, exploitable flaws have a market value, especially to criminals, as they can be used to propagate malware and attack systems.
Bounty programs address both concerns. They provide a means for compensating researchers for their efforts, and they provide a market for flaws that won’t lead to compromised machines and harm to third parties. Google, Mozilla, Facebook, PayPal, and AT&T, among others, all offer monetary rewards for bug disclosures.
Until now, Microsoft has shied away from such programs. No longer. The company has announced three separate schemes. One of them is a straightforward bug bounty. When Internet Explorer 11 beta is released on June 26 (as part of the Windows 8.1 beta), Microsoft will pay up to $11,000 (and possibly even more) for any critical vulnerabilities discovered by July 26.
This is a program that’s broadly comparable to schemes from Google and Mozilla for their browsers. The major difference is the time constraint. Explaining the limited window for submissions, Microsoft says that it wants to ensure that most critical bugs are reported during the beta (when usage of the software and hence the risk due to flaws is low) rather than after release.
During Internet Explorer 10’s development, for example, there were low numbers of critical flaws reported during the beta, a large spike shortly after release, and then more low numbers. Microsoft wants to move that spike into the beta period, and the limited payout window could encourage researchers to look at the software sooner rather than later.
The company also argues that existing third-party bounty schemes don’t really address products in their pre-release state. Tipping Point’s Zero Day Initiative, for example, offers a way for researchers to be rewarded for disclosing flaws, but only for products that are widely deployed. Paying for bugs during the beta fills this gap.
The other two schemes are more unusual. Microsoft is not providing rewards for security flaws per se. Rather, there are two related programs. The company is offering up to $100,000 for any attack that bypasses Windows 8.1’s anti-exploitation mechanisms. In tandem with this, the company is offering $50,000 for any useful defensive technique that would guard against this exploit.
This pair of programs will start on June 26, but unlike the Internet Explorer 11 program, these two will be ongoing, with no fixed end date.
With these two schemes, Microsoft is doing something a little different from the traditional bug bounty. By focusing on exploit mitigation techniques, the company can learn about both individual problems in specific applications and system-wide issues. Addressing these system-wide issues can shore up the platform by making it harder to exploit flaws in all software on the platform, whether it’s written by Microsoft or third parties.
Source: Arstechnica