Microsoft Finally Offers To Pay Hackers For Security Bugs With $100,000 Bounty
Courtesy Andy Greenberg, Forbes
For years, Microsoft has refused to offer financial rewards to researchers who tell the company about security flaws in its software, even as Google GOOG -0.02% and Facebook FB +0.47%have ratcheted up their so-called “bug bounty” programs. Now the software giant has suddenly changed its mind–and it’s even offering even bigger bounties in some cases than those competitors.
On Tuesday Microsoft announced that it’s now willing to pay up to $100,000 for information about security bugs that can be used to bypass the defenses of Windows, starting with the upcoming preview version of Windows 8.1 to be released later this month. For researchers who also detail new defensive techniques for preventing similar bugs from being exploited in the future, Microsoft will pitch in an extra $50,000 “Defense Bonus” per submission.
“These are super challenging to discover and they require a new technique,” says Mike Reavey, director of Microsoft’s Security Response Center. “So to get people thinking in this area really does require a top-dollar reward.”
Aside from those $100,000 and $50,000 bounties, Microsoft will also pay up to $11,000 for exploits affecting the preview version of Internet Explorer 11, a strategy designed to fix the software’s bugs before it’s widely released to users. “[Most organization] don’t offer bounties for software in beta, so some researchers would hold onto vulnerabilities until the code is released to manufacturing,” reads a blog post about the bug bounty program from Microsoft’s senior security strategist Katie Moussouris. “Learning about these vulnerabilities earlier is always better for us and for our customers.
Microsoft’s payouts compare to just $20,000 offered by Google for bugs in its Web applications, though the search firm did briefly offer $150,000 for a bug in its Chrome operating system in a competition in January and $60,000 for bugs in its Chrome browser the year before. Mozilla offers up to $3,000 for bugs in its software. Facebook pays a minimum of $500 but doesn’t specify its maximum reward.
Since Bill Gates‘ Trustworthy Computing memo in 2002, Microsoft has created a reputation for working closely with the security research community, hiring hackers and hosting the Blue Hat security conferences in Redmond. At the Black Hat conference last year it awarded the first Blue Hat prize for researchers who develop defensive techniques against exploits, totally $260,000 in rewards.
So why only start paying bounties for bugs in its software now? Microsoft’s Reavey says that the company has been receiving a growing stream of reports through third-party bug buying programs like the HP-owned Zero Day Initiative and Verisign’s iDefense, which pay up to $10,000 for bugs and report them the software’s vendor. It also saw the impact of events like the annual Pwn2Own competition, where hackers are sometimes paid six-figure rewards for developing advanced exploits against Microsoft products and then revealing their techniques. “We find out about [these advanced exploits] once a year through these events, or unfortunately, in the wild,” says Reavey. “We want o get them year round as early and often as possible.”
Part of the incentive for Microsoft’s program may also be the growing bounty for exploit techniques among a different community: Government and black market buyers who plan to use them for espionage or for crime. According to interviews I conducted in March of last year, a working exploit affecting Windows could earn a hacker between $60,000 and $120,000 dollars from an intelligence or law enforcement agency, and one that achieves full compromise of a Windows computer through Internet Explorer could earn as much as $200,000.
In her blog post, Moussouris alluded to those less-friendly bug-sellers, arguing that Microsoft’s program aims to give them an equally lucrative alternative, and that its “Defense Bonus” may also make their offensive hacking more difficult. “With the strategic bounty programs announced today and the industry collaboration program enhancements to come, Microsoft will simultaneously encourage those who want to work with us while increasing costs for those whose actions cannot be affected by bounties or other incentive programs.”