Microsoft has announced that it will give security researchers cash rewards for devising novel software exploitation techniques, creating new exploit mitigation systems, and finding bugs in the beta of Internet Explorer 11 when it’s released later this month. Bug bounty programs, where security researchers receive a cash reward from software vendors for disclosing exploitable flaws in those vendors’ software, have become an important part of the computer security landscape. Finding flaws and working out ways to exploit them can be a difficult and time-consuming process. Moreover, exploitable flaws have a market value, especially to criminals, as they can be used to propagate malware and attack systems.
Bounty programs address both concerns. They provide a means for compensating researchers for their efforts, and they provide a market for flaws that won’t lead to compromised machines and harm to third parties. Google, Mozilla, Facebook, PayPal, and AT&T, among others, all offer monetary rewards for bug disclosures.
Until now, Microsoft has shied away from such programs. No longer. The company has announced three separate schemes. One of them is a straightforward bug bounty. When Internet Explorer 11 beta is released on June 26 (as part of the Windows 8.1 beta), Microsoft will pay up to $11,000 (and possibly even more) for any critical vulnerabilities discovered by July 26.
This is a program that’s broadly comparable to schemes from Google and Mozilla for their browsers. The major difference is the time constraint. Explaining the limited window for submissions, Microsoft says that it wants to ensure that most critical bugs are reported during the beta (when usage of the software and hence the risk due to flaws is low) rather than after release.
During Internet Explorer 10’s development, for example, there were low numbers of critical flaws reported during the beta, a large spike shortly after release, and then more low numbers. Microsoft wants to move that spike into the beta period, and the limited payout window could encourage researchers to look at the software sooner rather than later.
The company also argues that existing third-party bounty schemes don’t really address products in their pre-release state. Tipping Point’s Zero Day Initiative, for example, offers a way for researchers to be rewarded for disclosing flaws, but only for products that are widely deployed. Paying for bugs during the beta fills this gap.
The other two schemes are more unusual. Microsoft is not providing rewards for security flaws per se. Rather, there are two related programs. The company is offering up to $100,000 for any attack that bypasses Windows 8.1’s anti-exploitation mechanisms. In tandem with this, the company is offering $50,000 for any useful defensive technique that would guard against this exploit.
This pair of programs will start on June 26, but unlike the Internet Explorer 11 program, these two will be ongoing, with no fixed end date.
With these two schemes, Microsoft is doing something a little different from the traditional bug bounty. By focusing on exploit mitigation techniques, the company can learn about both individual problems in specific applications and system-wide issues. Addressing these system-wide issues can shore up the platform by making it harder to exploit flaws in all software on the platform, whether it’s written by Microsoft or third parties.
Source: Arstechnica
More Stories
Facebook Paying Social Media Users to Suspend Accounts Ahead of November Elections
Facebook is offering money to those who are willing to stop using Facebook and Instagram in the weeks before the...
Mozilla lays off 250
Mozilla today announced a major restructuring of its commercial arm, the Mozilla Corporation, that will see about 250 employees lose...
Multiple nation-state groups are hacking Microsoft Exchange servers
Multiple government-backed hacking groups are exploiting a recently-patched vulnerability in Microsoft Exchange email servers. (more…)
Happy Birthday Raspberry PI!! New Pricing Celebration
The Raspberry Pi is about to turn eight, having officially launched on February 29, 2012. To celebrate, the Raspberry Pi...
The rare form of machine learning that can spot hackers who have already broken in – MIT Technology Review
Darktrace’s unsupervised-learning models sound the alarm before intruders can cause serious damage. — Read on www.technologyreview.com/s/612427/the-rare-form-of-machine-learning-that-can-spot-hackers-who-have-already-broken-in/
Hackers Delete Thousands of Dark Web Pages • Digit
Hackers have permanently deleted 6,500 hidden services that were hosted on the Daniel's Hosting dark web server. — Read on...