Microsoft's Bug Bounty Program expands: Snitches welcome?

Microsoft's Bug Bounty Program expands: Snitches welcome?

Summary: Microsoft wants to take a bite out of the exploit market, and has opened its Bug Bounty Program up beyond the usual scope of hackers and researchers.

TOPICS: Security, Microsoft

Microsoft's Bug Bounty Program is taking aim at the black market for exploits, expanding the pool beyond researchers while offering its $100K to those willing to rat out active exploits.

The move was described by Microsoft's Senior Security Strategist Katie Moussouris as "designed to further disrupt the vulnerability and exploit markets."

Microsoft Bug Bounty Snitches

Microsoft's new "Bounty Evolution" changes the game from giving payoffs to those who invent new mitigation bypass techniques to include squeaky wheels who find or "discover" new attacks in the wild.

So if you know of any exploitation attacks currently in use against Microsoft (Windows 8.1), and you're willing to sing for your supper, Microsoft's expanded bug bounty program operators are standing by - and they'll pay $100K.

Snitches welcome?

Now, it's not just hackers and professional researchers who can cash in on Microsoft's $100,000 bounty: forensic experts, organizations and responders can try to get their slice of the "Blue Hat" exploit pie, too.

While Microsoft's door is now apparently always open for anyone who wants to sing, Microsoft says that anyone who wants to play ball with the Blue Hats has to first send an email to doa [at] microsoft [dot] com to pre-register with an agreement, but then "we'll accept an entry of technical write-up and proof of concept code for bounty consideration."

Going after the black market for exploits is a noble enough dream, but it's hard not to wonder if Microsoft's $100K is enough to flip the kind of tricks they want to pull out of the wild on their products.

That's not to say they don't have tasty enough bait: Microsoft's Bug Bounty program is young, successful and saw its first fat, high-profile payout within four months of its launch.

It bolted out of the gate ahead of the pack when it launched in June. Unlike other programs, it pays for new attack and defense techniques in regard to the latest Windows operating system; those submitting novel defense techniques can nab up to $50K.

In October, British security researcher James Forshaw took the first $100,000 prize when he discovered and reported a bypass of Windows memory protections, the details of which Microsoft disallowed him to disclose.

"Dead or alive"

Microsoft's new play essentially expands its field of potential exploit traders from scattered individuals who invent, to potentially thousands who find, meaning Microsoft is trying to angle itself into a new arena of deal making.

Moussouris explained in Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alive,

This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. 

Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it. 

By expanding our bounty program, Microsoft is cutting down the time that exploits and vulnerabilities purchased on the black market remain useful, especially for targeted attacks that rely on stealthy exploitation without discovery.

She explained that Microsoft will pay cash on the barrelhead for anyone who drags in an exploit "dead or alive."

Meaning, Microsoft will pay for an attacks that's fresh and shiny, with no miles on it - and it'll also pay up for exploits with teeth, those currently being used against Microsoft.

We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we’ll pay for them even if they are currently being used in targeted attacks if the attack technique is new – because we want them dead or alive.

The success of the program thus far bodes well for Moussouris' campaign.

But for now, the jury's out on whether the program has enough juice to move the exploit market's meter from black to blue.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Hmmmmm...

    Like they say "money talks, everything else walks".... ; )
  • Hmmm

    How much do I get for showing them that Win7/8 Search (for a file) doesn't work...
    • Probably nothing

      since it seems to be working for me quite well when I used it on my RT. And on my boot camped MBA. Can't speak for 7, though, you might have something there.
      Michael Alan Goff
    • Interesting I say 0

      it works for me...must be a I-D-10-T error
  • what the phuq did she just say..?

    She works in Marketing; and the bug nerds work in R/D; she needs a phuqn translator.... was she talking about her time in a Las Vegas jail? Maybe she was telling us that she has a penis tattoo.
    • Look guys! I think it's trying to communicate!

    • WATCH IT!

      People who have penis tattoos find your comment very offensive.
  • Zuckerberg status

    On a more literal note, this offer looks like it could *possibly* be tempting. It's really a question of the 'open source' black-hat hacker ethos, (information needs to be open and free) vs. a quick, easy payout.

    They must realize that no matter how big the dollar signs are, that tactic just doesn't resonate with with a lot of people. One of my favorite scenes from the social network was where Zuckerberg was talking with the Harvard guys about his music prediction software, "it analyzes the music you listen to and makes recommendations for new bands based on music you like."
    "Is anybody trying to buy it?"
    "So how much did you sell it for?"
    "I didn't. I put it online for free."
    (I know it's just a movie, guys. That scene just embodies the ethos of the crowd we're dealing with here. It's a great example.)

    That's not to say there won't be one out there who's willing or desperate enough for a quick and easy payout. This is an interesting move, indeed.
  • Can I Just Say


    Once again, out with the news while everybody else is picking their rear.
    • RE V.B

      I think she's pretty hot too.
  • And thats how you attempt to make a product

    a bit safer... The only problem I see is what would Microsoft classify as a payable exploit vs just a glitch/simple patch exploit they know exist already. I mean, If someone discovers a real threat type exploit (most can cause some damage) ad Microsoft says no, it's not worth paying for, do you thing said person will retaliate against them and use that exploit to prove they were wrong for not paying him/her and risk more doing it?

    I like companies that to this.
    Free Webapps