Microsoft unleashes bug bounty program — for betas, too

Microsoft unleashes bug bounty program — for betas, too

Summary: The software giant's bug bounty program will aim to fix security flaws, bugs, and vulnerabilities even before products are released.

SHARE:
TOPICS: Security, Microsoft
66
ie-malware-610x377
IE9 under a zero-day attack before a Patch Tuesday in February. Microsoft wants to reward those who discover serious security flaws even before its software is released. (Image: Rapid7)

Microsoft on Wednesday announced it will launch a "bug bounty" program, designed to stamp out security vulnerabilities in its software before and after its products are launched.

The software giant has previously offered as much as $250,000 for security vulnerabilities disclosed as part of its BlueHat prize during contests, but the company had yet to offer a long-term, ongoing bug bounty program to encourage researchers to find flaws in its products.

"This is the smartest thing we can do," Katie Moussouris, senior security strategist lead at Microsoft Security Response Center (MSRC), told ZDNet on the phone. "We evaluated what researchers were doing, and we noticed the reporting trend was changing. A few years ago, most researchers were going to Microsoft directly. We want to bring that back."

But the twist in the tale is that these bug bounty programs will specifically include the company's pre-release software, such as Internet Explorer 11 preview, which will be included with Windows 8.1 ("Blue") on June 26, helping Microsoft stamp out bugs before its products are released into the wider population.

There's a method to this apparent madness. According to the company, most IE 10 security bugs were disclosed after the browser was pushed out into the wild because only then could the researcher receive a financial bounty for their discoveries through a third-party broker. 

"Most [third-party] brokers don't offer beta bounties. When brokers offered money, researchers reported them, so during the betas there was no incentive to report them. Microsoft wants to fill that gap," Moussouris said. 

Microsoft's projections for IE 11, with this beta bug bounty, is that more disclosures will occur sooner rather than later while the product is still in a smaller pool of developers and beta testers.

The company is splitting its security strengthening efforts across three programs:

The first is a "mitigation bypass bounty," which will pay out up to $100,000 per bypass to security researchers who find truly novel exploitation techniques that bypass the platform-level security layer. As Moussouris described it, it's like finding "holes in the shield," which helps Microsoft build a better protection against entire classes off attack.

Dubbed the BlueHat Bonus for Defense, the second program gives researchers the opportunity to receive $50,000 extra if they submit a defensive idea in form of a technical whitepaper that can help block their newly discovered new attack.

IE 11 will remain an integral part of Windows 8.1 while at the same time being a continued target for hackers and malware writers. So, with the third program, Microsoft is offering up to $11,000 per critical-severity vulnerability to researchers. 

For the IE 11 preview, the payout structure works like this:

bug-bounty-ie11
(Image: Microsoft)

All three of these programs start on June 26 and continue on an ongoing basis, with the exception of the IE 11 preview bug bounty, which ends a month later on July 26.

Moussouris said the first two programs will help protect Microsoft's desktop platforms. "But we'll see where the programs take us," regarding its cloud and Web-based technologies, such as Azure, Office 365, and the Xbox Live platform.

For Microsoft, getting the security vulnerabilities squashed earlier rather than later is its primary motivation. And asked about rival companies, such as Google researchers, discovering bugs and flaws in its software, Microsoft doesn't mind paying out. "As long as it's OK with your employer, any researcher can participate."

And, learning from PayPal's recent bluff by refusing to pay out to a bug-finding teenager because he fell under the age requirement, Microsoft has opened up the doors to those 14 years of age or older, realizing that younger developers should still be able to participate.

"If you are at least 14 years old, but are considered a minor in your place of residence, you need to ask your parent's or legal guardian’s permission prior to participating in this program," the bug bounty program guidelines state.

On one part, Microsoft is building a better constructive relationship with the security researcher. But at the same time, the company could be seen as employing a "keep your enemies closer" approach. And if the end result is that 90 percent of the world's users have more secure software and platforms, it's a win-win for all involved.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

66 comments
Log in or register to join the discussion
  • Microsoft on Wednesday announced it will launch a "bug bounty" program,

    That clearly a waste of time......their isn't enought money in the world to close all the holes in the Windows world.

    End Of Story.....Period
    Over and Out
    • .

      Since there are so many bugs one should become rich, no?
      statuskwo5
      • You would think

        But then you'd be like the little Dutch boy at the dike trying to plug all the holes.
        CaviarRed
    • Expected

      @Linux_Forever, Why do you even bother reading anything about Windows when you're so bias toward the only true, bug free and completely hack proof OS -- (add dramatic music and drum roll...) Linux? If Windows is so bug ridden, why would you care if people got rich pointing out all the endless bugs and Microsoft went out of business in the process? You should be thrilled!
      Shift4SMS
    • put money where your mouth is

      This kind of whitehat program is what software companies with CONFIDENCE in their software does.
      Companies like Apple would rather sack top tier whitehats for getting malware into the appstore. When was the last time Apple offered a reward for whitehats?
      MS and Google are way ahead of the field in whitehat programs.
      Apple is at the bottom of the ladder and yet the fanboys think it's bulletproof.
      They'd rather spend money on PR.
      warboat
    • You obvliously have never tried Windows 7 or Windows 8.....

      Seriously, there are little bugs in Windows since Windows 7, you people tend to equate Windows with Windows XP, Windows Vista (which also wasn't that bad anyway) and Windows M.E. but neglect the awesomeness in Windows 7 & 8 which could easily defeat ANY Linux-based O.S. on ANY day, especially Crapicol's Ubuntu.

      The only people in the tech world more fanatic than Apple's lovers are Microsoft's haters, both of y'all will have a hard time after Windows 8.1 (Blue) will dominate the Tablet-P.C. market and innovate more in one update than both Apple & Linux-companies have done in their entire histories.
      Agosto Nuñez
      • My Acer netbook 721-3070 with Win7 64-bit got infected.

        It was made a dual-boot with Linux Mint the first day I got it. Windows 7 was only opened and used to add AV and run critical updates.

        It easily became infected with the Alureon.DX botnet and 4 other viruses with fully functioning and updated AV just by connecting it to the internet and running critical updates. The botnet had full control of my computer, turned on my Proxy Server setting and added a Russian IP address. I had to remove it manually.

        Microsoft bragged that Windows 7 64-bit had advanced driver signing....but, it was easily defeated by Alureon.

        "In November 2010, the press reported that the rootkit has evolved to the point that it is able to bypass the mandatory kernel-mode driver signing requirement of 64-bit editions of Windows 7 by subverting the master boot record,[9] something that also makes it particularly resistant on all systems to detection and removal by anti-virus software."
        -- http://en.wikipedia.org/wiki/Alureon

        Also from what I've been reading, Microsoft's new Windows 8 with UEFI and secure boot is a failure. It's being hacked regularly and becoming infected also. It was only another feeble attempt by Microsoft to hinder Linux installs. People using Linux never needed UEFI in the first place and just wind up disabling it.

        Don't be so quick to praise Microsoft's security efforts, it's not real security and usually only meant for for PR purposes.
        Joe.Smetona
        • Microsoft fails security for Win8 and UEFI.

          Typical for Microsoft.

          http://www.theregister.co.uk/2012/09/19/win8_rootkit/

          BTW, where's that ZDNet article on those Chinese military attacks?

          Where's Will Farrell when you need him?
          Joe.Smetona
          • Or, where's Ed Bott when you need the latest spin on...

            ... those Chinese military hacks on Winodws?

            Ed? Where's you're rebuttal story?
            Joe.Smetona
          • I couldn't help notice..

            That bootkit also pwned the Mac with UEFI. Of course you may retort that UEFI is the vulnerability in the 1st place. My position is that ANY operating system can be cracked. especially when java or flash are present on the hard drive.
            JCitizen
          • Joe, see this link.

            huh,Ubuntu servers hacked? How could they be?

            http://www.zdnet.com/blog/security/ubuntu-servers-hacked-to-attack-others/453
            xuniL_z
        • I call BS on your alureon infection

          You can't get alureon 64 trojan by just connecting it to the internet.
          You had to acquire it (could be passive) and allow it (not passive).
          Furthermore, if you are using windows and logged in as Administrator level user ALL THE TIME, then the user is to blame not the OS.
          warboat
          • The user is to blame, no, sorry, this is a Windows only issue.

            If the user is to blame, I would have been infected at least once in 12 years using Linux with absolutely no anti-virus. Linux users don't use AV and Linux does not get infected. Period.

            Windows, when you initially install it is vulnerable to infections just connecting it to the internet. If you are trying to get drivers, do WGA, installing AV, or running critical updates. It's happened to me many times. What's the latest time for infection for Windows, just connecting it to the internet now? Five minutes? It takes longer to run critical updates.

            Check out Google DNS information on page loads. When you connect to Microsoft, you are also connecting to their advertising partners with a plethora of third party advertisers with pop ups, flash ads, etc. you are not just connecting to Microsoft. That's whats so nice about Gmail and Google. They are placing their ads (under their control).

            It's not just a simple matter that I'm trying to discredit MS by false accusations. Many, many, times, in the process of installing Windows, I became infected before completing the task and had to wipe everything and start over, hoping to not get infected in the process of installing. I even go to the trouble of using my own network installs for service packs.

            Recently, a friend asked me to look at her Toshiba notebook that had become extremely slow and was displaying very distasteful images every time IE was opened.

            I removed the SATA 150 hard drive and connected it to my Linux Mint netbook with a USB adapter. I installed CLAMAV and the CLAMTK GUI to scan it. It ran and found 3,094 infections. .... This is typical Windows behavior.... If you babysit Windows, like virtually all of the pro-Windows posters here, constantly removing threats, you are only fooling yourself.

            Windows is designed, from the beginning to have to use AV. It's a financial decision that saves them money at the expense of the the consumer. That's all there is to it.

            I'm sorry you have fallen under their spell and propaganda that AV is somehow necessary, but my friend was using AV and in fact had paid for her subscription to a Major AV company.

            You are trying to defend MS, a company that relies on loyal customers (that they readily and constantly abuse).

            You can't tell me how to get my Linux infected. What website should I visit? If you are sincere about computers, give Mint a try and discover, like so many others that you are not going to get infected, even without AV,.

            Here's the screenshot of the Windows scan:

            http://smetona.net/linux/Dorothy.scan.jpg
            Joe.Smetona
          • what kind of networks are you on?!

            I've installed and reinstalled dozens of Windows systems, clients and servers, home and work. I've never once got an infection between installation and getting the security products installed.

            In fact, on all the systems I manage, including at least 6 home systems, I've only had one infection in the last several years. It was a TDSS rootkit that must've been picked up by my kids installing something on a family system, though I never figured out the attack vector.

            I noticed you didn't post the entire list of "3094" infections, just a screen shot of the middle of the list. How many of those were multiple entries for one infection? How many were for web ad and tracking cookies, which will be on any OS that has browser cookies enabled and aren't viruses at all?
            jreuter
          • testing zdnet filter

            I've installed and reinstalled dozens of Windows systems, clients and servers, home and work. I've never once got an infection between installation and getting the security products installed.

            In fact, on all the systems I manage, including at least 6 home systems, I've only had one infection in the last several years. It was a TDSS rootkit that must've been picked up by my kids installing something on a family system, though I never figured out the attack vector.

            I noticed you didn't post the entire list of "3094" infections, just a screen shot of the middle of the list. How many of those were multiple entries for one infection? How many were for web ad and tracking cookies, which will be on any OS that has browser cookies enabled and aren't viruses at all?
            xuniL_z
          • Well normally, I see about 300-400 entries with Windows.

            3,094 is a show stopper. I ran the same software on the Linux Mint and it only displayed 3 or 4 Google tracking entries, not a problem, because I authorized them in my terms of use. Big difference, no matter how you try to spin it.

            There's no critical analysis of loading by malware writers. If Windows is involved, each entry had to be be installed and over time, you get over 3,000. Are you asking me to print the entire listing and discern which are botnets, rootkits, spyware, tracking, or viruses? No thanks, that's what Windows users are doing with their time. Suffice to say, she is using LinuxMint 15 Cinnamon now and extremely happy.
            Joe.Smetona
      • If you want to experience true security try Linux Mint.

        Using AV on Linux is unheard of. Even the main website for Linux Mint declares to readers that Anti-Spyware and Anti-Virus is unnecessary. That's something you will never, ever see with Microsoft.

        Imagine you and your family using all their computers for over 12 years without installing or maintaining any AV at all ... and never getting any infections. That's precisely what ZDNet never wan's you to know.
        Joe.Smetona
        • Linux Mint website declares AV is not necessary.

          http://linuxmint.com/about.php
          Joe.Smetona
          • The malware I run into...

            doesn't make itself known to the user, and can encrypt its own code on the drive on the fly. No known scanner can rid you of it on the system. Honestly Joe - how are you going to truly know your system is clean?
            JCitizen
          • You need to use your password to install or do admin tasks.

            Linux requires authentication. If you don't give it... nothing gets installed.

            I use the 64-bit respository with 65,000 free applications, and various trusted websites like Google, TrueCrypt, Opera, etc.

            That's something anyone has to do to remain secure, use trusted sources.

            If you run CLAM AV on Linux, it only discovers the Google tracking that you agreed to in your terms of service... i.e. perfectly acceptable.

            Your real problem is you are using a closed source OS, either Windows or Apple, they are legally allowed to do anything with it. Open source is different. Richard Stallman has a great video about Ubuntu starting to allow search results to be used by Amazon for targeted advertising. If you want to avoid this, as he says, just use the modified Ubuntu without it. That's the great thing about the GNU/GPL licensing. You can modify it, recompile it and someone is always watching for violations to freedom.
            Joe.Smetona